Red Menshen Plants BPFDoor Sleeper Cells in Global Telecom Networks

A China-linked threat actor has quietly embedded itself in telecommunications networks across the Middle East and Asia, establishing what researchers describe as "some of the stealthiest digital sleeper cells" ever encountered. The campaign, attributed to Red Menshen, positions attackers to monitor subscriber activity, signaling systems, and sensitive communications without triggering conventional security tools.

What is Red Menshen?

Red Menshen (also tracked as Earth Bluecrow, DecisiveArchitect, and Red Dev 18) is a Chinese-nexus threat cluster with a documented history of targeting telecom providers since at least 2021. The group specializes in long-term, persistent access to critical infrastructure rather than smash-and-grab operations.

Rapid7 Labs released findings on March 26, 2026 detailing a sustained espionage campaign where the group has achieved covert access inside global telecommunications infrastructure. The research represents months of investigation into the group's evolving tradecraft.

How BPFDoor Works

Central to Red Menshen's operations is BPFDoor, a Linux kernel-level backdoor that operates without opening ports or generating typical command-and-control beaconing. The malware has two components:

1. Passive backdoor: Installed on compromised Linux systems, it inspects incoming traffic for a predefined "magic" packet by installing a Berkeley Packet Filter. When triggered, it spawns remote shells for attacker access.

2. Controller component: Operated by attackers to send specially formatted trigger packets across networks, activating dormant implants.

Unlike conventional malware, BPFDoor doesn't expose listening ports or maintain visible C2 channels. A newly discovered variant conceals trigger packets within HTTPS traffic and incorporates SCTP protocol support for monitoring telecom-native signaling. The implants also use ICMP as a lightweight communication mechanism between infected hosts.

This approach mirrors techniques we've seen from other nation-state groups targeting critical infrastructure, though Red Menshen's focus on telecommunications is particularly concerning given the intelligence value of subscriber data.

Who's Affected

The campaign targets internet-facing infrastructure including VPN appliances, firewalls, and web platforms from Ivanti, Cisco, Juniper Networks, Fortinet, VMware, Palo Alto Networks, and Apache Struts. Organizations in the Middle East and Asia appear to be primary targets, though the research suggests the campaign's scope may be broader than currently known.

Post-exploitation frameworks deployed alongside BPFDoor include CrossC2, Sliver, TinyShell, keyloggers, and brute-force utilities—a comprehensive toolkit for maintaining persistence and expanding access.

Why This Matters

Telecommunications networks are high-value espionage targets. Access to a telecom provider can yield intelligence on subscriber locations, call metadata, SMS content, and inter-carrier signaling. For nation-state actors, this represents a strategic capability that extends well beyond individual target compromise.

The "sleeper cell" positioning is particularly alarming. These implants can remain dormant for extended periods, activating only when needed—making detection through behavioral analysis difficult. Traditional endpoint monitoring tools struggle to identify activity that doesn't generate network traffic or process anomalies.

For organizations relying on telecom infrastructure for sensitive communications, this research underscores why end-to-end encryption matters even within supposedly trusted networks. If attackers control intermediate infrastructure, unencrypted communications are vulnerable regardless of perimeter defenses.

Recommended Actions

Organizations operating in affected sectors should:

1. Audit edge infrastructure — Review VPN appliances, firewalls, and load balancers for unexpected processes or kernel modules
2. Enable eBPF monitoring — Deploy tools capable of detecting Berkeley Packet Filter anomalies at the kernel level
3. Inspect ICMP traffic — Look for unusual ICMP patterns that could indicate covert communication channels
4. Review historical logs — The campaign has been active since at least 2021, so look for indicators of compromise in archived data

The research adds to growing evidence that telecommunications infrastructure faces sustained targeting from state-sponsored actors. Organizations should assume that motivated adversaries are already seeking access to their networks and plan defenses accordingly.