A long-term and ongoing campaign named after the China-Nexus threat actor has embedded itself in telecommunications networks to conduct espionage against government networks.
Strategic positioning activity is attributed, including implementing and maintaining covert access mechanisms within critical environments red menshenA threat group that has also been tracked as Earth BlueCrow, DecisiveArchitect, and Raid Dev 18. The group has a track record of striking telecom providers in the Middle East and Asia since at least 2021.
Rapid7 described the covert access mechanisms as “some of the most covert digital sleeper cells” ever encountered in telecommunications networks.
The campaign is characterized by the use of kernel-level implants, passive backdoors, credential-harvesting utilities, and cross-platform command frameworks, giving the threat actor the ability to persistently reside in the network of interest. One of the most recognized tools in its malware arsenal is a Linux backdoor called BPFDoor.
“Unlike traditional malware, BPFDoor does not expose listening ports or maintain visible command-and-control channels,” Rapid7 Labs said in a report shared with The Hacker News. “Instead, it abuses the Berkeley Packet Filter (BPF) functionality to inspect network traffic directly inside the kernel, activating only when it receives a specially crafted trigger packet.”
“There is no persistent listener or explicit prompt. The result is a hidden trap hidden within the operating system itself.”
Attack chains begin by targeting threat actors using Internet-facing infrastructure and connected web-facing platforms such as VPN devices, firewalls and web-facing platforms such as Ivanti, Cisco, Juniper Networks, Fortinet, VMware, Palo Alto Networks, and Apache Struts to gain initial access.
After successful foothold, Linux-compatible beacon frameworks such as CrossC2 are deployed to facilitate post-exploitation activities. Sliver, TinyShell (a Unix backdoor), keyloggers, and brute-force utilities have also been deprecated to facilitate credential harvesting and lateral movement.
However, the Red Menschen’s center of operations is the BPFdor. It has two distinct components: one is a passive backdoor that is deployed on compromised Linux systems to inspect incoming traffic for predefined “magical” packets by installing BPF filters and spawning a remote shell upon receiving such packets. The other integral part of the framework is a controller that is administered by the attacker and is responsible for sending specially formatted packets.
“The controller is also designed to operate within the victim’s own environment,” Rapid7 said. “In this mode, it can masquerade as legitimate system processes and trigger additional exploits in the internal host by sending activation packets or opening a local listener to receive shell connections, effectively enabling controlled lateral movement between compromised systems.”
Additionally, some BPFDoor artifacts have been found to support Stream Control Transmission Protocol (SCTP), potentially enabling an adversary to monitor telecom-native protocols and gain visibility into subscriber behavior and location, and even track individuals of interest.
These aspects demonstrate that BPFDoor’s functionality goes beyond that of a secret Linux backdoor. “BPFdoor acts as an access layer embedded within the telecom backbone, providing long-term, low-noise visibility into critical network operations,” the security vendor said.
The matter does not end here. This previously undocumented version of BPFdoor incorporates architectural changes to make it more obvious and long unknown in modern enterprise and telecommunications environments. These include hiding the trigger packet within seemingly legitimate HTTPS traffic and introducing a novel parsing mechanism that ensures that the string “9999” appears at a certain byte offset within the request.
This camouflage, in turn, allows the magic packet to remain hidden inside HTTPS traffic and protect against changes in the state of the data inside the request, and allows the implant to always check the marker at a specific byte offset and, if it exists, interpret it as an activation command.
The newly discovered sample also introduces a “lightweight communication mechanism” that uses the Internet Control Message Protocol (ICMP) to communicate between two infected hosts.
“These findings reflect widespread developments in enemy trade,” Rapid7 said. “Attackers are embedding implants deeper into the computing stack – targeting the operating system kernel and infrastructure platform rather than relying solely on user-space malware.”
“The telecom environment – combining bare-metal systems, virtualization layers, high-performance devices and containerized 4G/5G core components – provides the ideal terrain for low-noise, long-term persistence. By mixing in legitimate hardware services and container runtimes, implants can avoid traditional endpoint monitoring and remain undetected for extended periods.”
