A long-term, ongoing campaign attributed to threat actors linked to China has integrated communications networks to conduct espionage against government networks.
This strategic location effort to embed and maintain stealth access mechanisms within critical environments is believed to be the work of Red Menshen, a threat cluster also tracked as Earth Bluecrow, DecisiveArchitect, and Red Dev 18. The group has a track record of attacking telecommunications providers in the Middle East and Asia since at least 2021.
Rapid7 described this covert access mechanism as “some of the stealthiest digital sleeper cells” ever encountered in telecommunications networks.
This campaign features the use of kernel-level implants, passive backdoors, credential harvesting utilities, and cross-platform command frameworks that allow threat actors to maintain persistent presence on targeted networks. One of the most well-known tools in its malware arsenal is a Linux backdoor called BPFDoor.
“Unlike traditional malware, BPFdoor does not expose listening ports or maintain visible command and control channels,” Rapid7 Labs said in a report shared with The Hacker News. “Instead, it exploits the Berkeley Packet Filter (BPF) feature to inspect network traffic directly within the kernel and only activates when a specially crafted trigger packet is received.”
“There are no persistent listeners or obvious beacons. The result is a hidden trapdoor embedded within the operating system itself.”
The attack chain begins with threat actors targeting and gaining initial access to internet-connected infrastructure and exposed edge services such as VPN appliances, firewalls, and web connectivity platforms associated with Ivanti, Cisco, Juniper Networks, Fortinet, VMware, Palo Alto Networks, and Apache Struts.
Once a foothold is established, a Linux-compatible beacon framework such as CrossC2 is deployed to facilitate post-exploitation activities. Also removed were Sliver, TinyShell (Unix backdoor), keyloggers, and brute force utilities to facilitate credential collection and lateral movement.
But at the heart of Red Menshen’s operations is BPFDoor. It features two different components. One is a passive backdoor deployed on compromised Linux systems that inspects incoming traffic for predefined “magic” packets by installing a BPF filter and spawning a remote shell upon receipt of such packets. Another important part of the framework is the controller, which is managed by the attacker and is responsible for sending specially formatted packets.
“The controller is designed to work within the victim’s environment itself,” Rapid7 explained. “In this mode, additional implants can be triggered across internal hosts by masquerading as legitimate system processes and sending activation packets or opening local listeners to receive shell connections, effectively allowing controlled lateral movement between compromised systems.”
Additionally, certain BPFDoor artifacts have been found to support Stream Control Transmission Protocol (SCTP), which could allow attackers to monitor communication native protocols, gain visibility into subscriber behavior and location, and even track individuals of interest.
These aspects demonstrate that BPFdoor’s capabilities go beyond a stealth Linux backdoor. “BPFdoor acts as an embedded access layer within the communications backbone, providing long-term, low-noise visibility into critical network operations,” the security vendor added.
That’s not the end. Previously undocumented variants of BPFdoor incorporate architectural changes that make them more evasive and undetectable for extended periods of time in modern corporate and communications environments. These include hiding trigger packets within seemingly legitimate HTTPS traffic and introducing a new parsing mechanism that ensures that the string “9999” appears at a fixed byte offset within the request.
This camouflage allows the magic packet to remain hidden within the HTTPS traffic, allowing it to avoid shifting the position of the data within the request, and allows the implant to constantly check for markers at specific byte offsets and interpret them, if present, as an activation command.
The newly discovered sample also debuts a “lightweight communication mechanism” that uses Internet Control Message Protocol (ICMP) for communication between two infected hosts.
“These findings reflect the broader evolution of adversarial tradecraft,” Rapid7 said. “Rather than relying solely on user-space malware, attackers are planting implants deep into the computing stack, targeting operating system kernels and infrastructure platforms.”
“A communications environment that combines bare-metal systems, virtualization layers, high-performance appliances, and containerized 4G/5G core components provides an ideal environment for low-noise, long-term persistence. By integrating with formal hardware services and container runtimes, implants can bypass traditional endpoint monitoring and remain undetected for long periods of time.”
Source link
