Chinese threat actors have been refining BPFdoor, an already sophisticated backdoor, to maintain stealthier persistence within global telecommunications systems and other high-value targets including government and critical infrastructure networks.
BPFdoor was already among the world's most advanced malware implants before its recent upgrades. Its defining capability is remaining dormant inside a Linux kernel, passively using the Berkeley Packet Filter (BPF) to monitor incoming network traffic for a specially crafted activation message without triggering observable activity.
Researchers at Rapid7 report that the Chinese advanced persistent threat (APT) group behind BPFdoor, known as Red Menshen, has enhanced the malware's listening system. Since approximately November, the group has added several stealthy techniques to help BPFdoor remain even more covert while penetrating deeper into telecommunications subscriber traffic worldwide.
Iran Deploys 'Pseudo-Ransomware,' Revives Pay2Key Operations
Beyond known targets in the Middle East and Africa, "We have confirmed victims in the Asia-Pacific (APAC) and in Europe — I dare say this is definitely global," Christiaan Beek, vice president of cyber intelligence at Rapid7, tells Dark Reading. The malware's success appears to have expanded its scope: "Where we thought initially it was mostly focused on telcos, we also now have confirmation from [victimized] government networks, critical infrastructure networks, and defense networks."
Red Menshen has moved beyond BPFdoor's already subtle BPF listening technique. The updated malware now searches for its trigger phrase exclusively within innocuous Hypertext Transfer Protocol Secure (HTTPS) requests, rather than scanning any network packet type.
"They are actually weaponizing our firewalls against us, and we're letting the traffic through," Beek acknowledges. Firewalls and traffic inspection tools cannot reasonably block HTTPS traffic, and even when decrypted, the requests appear legitimate to human analysts and security tools. "So that was a really smart move on [their part] — hiding themselves in that kind of Transport Layer Security (TLS) traffic, so the moment you unpack it, it will actually pass through easily."
BPFdoor is precisely calibrated to detect when malicious instructions arrive. It examines the 26th byte offset in incoming requests, activating only when its trigger appears at that exact location.
Infrastructure Attacks With Physical Consequences Down 25%
The trigger phrase isn't even BPFdoor's most sophisticated control mechanism. At a more granular level, Red Menshen can direct commands to specific malware instances within a network using a lightweight Internet Control Message Protocol (ICMP) control channel.
The system works as follows: When Red Menshen has compromised multiple servers in a target network, it could connect to each individually using command-and-control (C2) infrastructure, but that would generate detectable traffic. Alternatively, it could embed routing instructions in the activation packet, but that would increase packet size and potential detectability. Instead, the malware uses innocuous ICMP pings to relay instructions between infected machines, using a specific value — 0xFFFFFFFF — to designate which machine should execute an action.
"No matter how many hops there are in a network, they know exactly where their next implant in the network is, and they could actually send a command specifically [to any implant] in the traffic," Beek explains. Using an analogy: "Let's say you have BPFdoor in your living room, and you have BPFdoor in your kitchen. The actor could actually instruct the BPFdoor in the living room that a command is actually intended for BPFdoor in the kitchen."
SANS: Top 5 Most Dangerous New Attack Techniques to Watch
"That's unbelievable. It's fascinating — how to hide yourself in ping traffic. They knew exactly where there is some space in the network traffic, where you can put in your [malicious] packets. With all due respect, nobody's tracing how much ping traffic goes beyond the host, or outside of the network," he says.
Red Menshen operations demonstrate exceptional diligence and infrastructure knowledge of their targets.
Beek believes "they do an extremely good job at reconnaissance in their victims' networks. And they know so much about the inner workings of telco infrastructure. So the moment they are inside, and they find certain equipment, they know exactly how it works. And that it's interconnected, and then they can move really fast [to other parts of the network]. We found custom sniffers, custom tooling to intercept usernames and passwords — very highly sophisticated operations."
The attackers' understanding of and adaptation to target systems is exceptional. While cyber researchers consider it "advanced" when malware mimics ordinary system processes to evade detection, Red Menshen goes further. The group knows that telcos, particularly in Europe and Asia, commonly deploy HPE ProLiant servers, and that telcos worldwide increasingly use Kubernetes for 5G services. Current BPFdoor variants disguise themselves using legitimate service names and process behaviors associated with HPE ProLiant servers or Kubernetes, depending on the environment.
Between the passive listening, covert messaging, process mimicking, and other techniques, BPFdoor operates beyond what most cybersecurity solutions can detect and stop. Beek suggests that operators need to proactively hunt down the malware.
The first step is awareness of its existence. Surprisingly, despite being several years old, the malware hasn't achieved the notoriety it warrants.
"Honestly, when I spoke to different telcos, they were quite unaware of this threat, and also the implications of it," Beek says. "I think that the bigger picture here is: Are you really anticipating these threats?"
