China Upgrades the Backdoor It Uses to Spy on Telcos Globally

THREAT INTELLIGENCE CYBER RISK ICS/OT SECURITY СLOUD SECURITY NEWS China Upgrades the Backdoor It Uses to Spy on Telcos Globally Chinese APT Red Menshen's super-advanced BPFdoor malware defeats traditional cybersecurity protections. All telcos can do, really, is try hunting it down. Nate Nelson,Contributing Writer March 27, 2026 5 Min Read SOURCE: STEVEN MAY VIA ALAMY STOCK PHOTO Chinese threat actors have been tinkering with a state-of-the-art backdoor called "BPFdoor," modifying it to more stealthily maintain persistence inside of the most sensitive parts of global telecommunications systems, plus other high-level government and critical infrastructure networks. BPFdoor was already one of the world's most sophisticated malware implants before it was upgraded. Its signature trick was to lay dormant inside of a Linux kernel, doing nothing interesting or even observable, while passively using the Berkeley Packet Filter (BPF) to inspect incoming network traffic for a specially crafted activation message. Researchers at Rapid7 now report that the Chinese advanced persistent threat (APT) behind BPFdoor, Red Menshen, has modified that listening system. Since around last November, it's also tacked on a few more stealthy tricks to help BPFdoor stay even quieter, and get closer to the heart of telecommunications subscriber traffic worldwide. Related:Infrastructure Attacks With Physical Consequences Down 25% In addition to known targets in the Middle East and Africa, "We have confirmed victims in the Asia-Pacific (APAC) and in Europe — I dare say this is definitely global," Christiaan Beek, vice president of cyber intelligence at Rapid7, tells Dark Reading. He adds that, perhaps due to the malware's runaway success, "where we thought initially it was mostly focused on telcos, we also now have confirmation from [victimized] government networks, critical infrastructure networks, and defense networks." An Ultra-Advanced Telecom Backdoor Even BPFdoor's remarkably subtle and efficient BPF listening technique isn't good enough for Red Menshen anymore. Now, instead of looking for a magic packet in any sort of network packet, the malware only looks for its trigger phrase in innocuous Hypertext Transfer Protocol Secure (HTTPS) requests. "They are actually weaponizing our firewalls against us, and we're letting the traffic through," Beek concedes. Firewalls and traffic inspection tools can't reasonably block HTTPS, and even when the request is decrypted, it'll look normal to a human observer or security tool. "So that was a really smart move on [their part] — hiding themselves in that kind of Transport Layer Security (TLS) traffic, so the moment you unpack it, it will actually pass through easily," he says. BPFdoor is also specially tuned to know when malicious message lies are coming through. It looks specifically for the 26th byte offset in the incoming request, and if its trigger appears at that specific location, then it knows it's being summoned. Related:SANS: Top 5 Most Dangerous New Attack Techniques to Watch The trigger phrase is arguably not even BPFdoor's most subtle, highly controlled trick. At an even more granular level, Red Menshen can direct orders to specific instances of its malware within a network, using a lightweight Internet Control Message Protocol (ICMP) control channel.  It works like this: Let's say that Red Menshen has compromised more than one server in a target network. It could connect and forward instructions to each individual server using a command-and-control (C2) setup, but that would be loud. Theoretically, they could also include data in the activation packet that routes instructions to the desired instance, but that would make the packet more bloated and potentially detectable. So, instead, the malware uses the innocuous ICMP pings to transmit instructions between infected machines, using a specific value — 0xFFFFFFFF — to indicate which machine should terminate the propagation and actually execute an action. "No matter how many hops there are in a network, they know exactly where their next implant in the network is, and they could actually send a command specifically [to any implant] in the traffic," Beek explains. By way of an analogy, he says, "Let's say you have BPFdoor in your living room. and you have BPFdoor in your kitchen. The actor could actually instruct the BPFdoor in the living room that a command is actually intended for BPFdoor in the kitchen." Related:Iran Hacktivists Make Noise but Have Little Impact on War He adds, "That's unbelievable. It's fascinating — how to hide yourself in ping traffic. They knew exactly where there is some space in the network traffic, where you can put in your [malicious] packets. With all due respect, nobody's tracing how much ping traffic goes beyond the host, or outside of the network," he says. China vs. Telcos: An Unfair Cyber Fight Red Menshen attacks are characterized by an unusual diligence and knowledge of their targets' infrastructure. Beek thinks that "they do an extremely good job at reconnaissance in their victims' networks. And they know so much about the inner workings of telco infrastructure. So the moment they are inside, and they find certain equipment, they know exactly how it works. And that it's interconnected, and then they can move really fast [to other parts of the network]. We found custom sniffers, custom tooling to intercept usernames and passwords — very highly sophisticated operations." The detail with which the attackers understand and adapt to their targets' systems is exceptional. For instance, cyber researchers call it "advanced" when malware mimics ordinary system processes to try to evade detection. Red Menshen goes a step further. It knows that telcos, particularly in Europe and Asia, are known to use HPE ProLiant servers, and that telcos worldwide are increasingly using Kubernetes to serve 5G. So nowadays BPFdoor disguises itself using legitimate service names and process behaviors associated with HPE ProLiant servers, or Kubernetes, as applicable. Between the passive listening, the covert messaging, the process mimicking, and more, BPFdoor is a league beyond what most cybersecurity solutions can hope to detect and stop. Beek's suggestion, instead, is that operators need to just go out and hunt this thing down. The first step in that process, of course, is actually knowing about its existence. Surprisingly, even though the malware is some years old now, it isn't as famous as it deserves to be. "Honestly, when I spoke to different telcos, they were quite unaware of this threat, and also the implications of it," Beek says. "I think that the bigger picture here is: Are you really anticipating these threats?" About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like THREAT INTELLIGENCE Hackers Target Cybersecurity Firm Outpost24 in 7-Stage Phish by Jai Vijayan MAR 17, 2026 THREAT INTELLIGENCE React2Shell Exploits Flood the Internet as Attacks Continue by Rob Wright DEC 12, 2025 THREAT INTELLIGENCE Iran Exploits Cyber Domain to Aid Kinetic Strikes by Robert Lemos, Contributing Writer NOV 26, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ CYBER RISK What Orgs Can Learn From Olympics, World Cup IR Plans byTara Seals MAR 12, 2026 THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE