Hackers Implant Stealthy BPFdoor Backdoors in Telecom Networks for Persistent Access

A China-nexus threat actor known as Red Menshen is planting stealthy backdoors deep inside global telecommunications networks.

According to a recent investigation by Rapid7 Labs, this long-term espionage campaign utilises a highly evasive Linux kernel malware called BPFdoor.

Instead of launching noisy, disruptive attacks, these hackers are building dormant sleeper cells in the telecom backbone.

Because telecom networks manage global digital identities, mobility, and connectivity, compromising this layer allows threat actors to monitor sensitive communications and track high-value geopolitical targets at a national scale.

Telecom breaches rarely start deep inside the core network. Attackers first target internet-facing edge infrastructure, exploiting vulnerabilities in VPN appliances, firewalls, and virtualization hosts.

Once they secure an initial foothold, the operators deploy Linux-compatible post-exploitation frameworks to blend into the telecom environment and move laterally toward core signaling systems.

Tool Primary Function Target Environment
CrossC2 Command execution and lateral movement Linux edge devices and core routing systems
TinyShell Passive, long-term persistent access Boundary devices like firewalls and VPNs
BPFdoor Kernel-level traffic inspection and backdoor Linux OS kernel, bare-metal servers

Alongside these frameworks, the threat actors use custom keyloggers and SSH brute-forcers.

These brute-force utilities are pre-loaded with telecom-specific usernames, such as “imsi,” demonstrating that the attackers possess a deep understanding of subscriber identity systems and telecom operational terminology.

BPFdoor Kernel-Level Stealth

The centerpiece of this espionage campaign is BPFdoor, a backdoor engineered to operate silently within the Linux operating system.

Overview of BPF and how early BPFdoor variants are operating (Source: Rapid7)
Overview of BPF and how early BPFdoor variants are operating (Source: Rapid7)

Traditional malware typically opens a visible listening port to communicate with a command-and-control server, making it relatively easy for network defenders to spot.

BPFdoor completely bypasses this requirement by abusing the Berkeley Packet Filter (BPF) capability, a feature normally used for legitimate network troubleshooting.

The malware installs a hidden BPF filter inside the kernel to inspect incoming traffic directly. It waits passively for a “magic packet” containing a specific byte sequence.

When the BPF filter detects this exact pattern, the backdoor activates and spawns a remote shell. Since there is no continuous beaconing or open listening port, the infected system appears perfectly clean to standard endpoint monitoring tools.

Recent analysis by Rapid7 of BPFdoor variants reveals a dangerous expansion in the malware’s capabilities.

Newer versions are specifically configured to monitor Stream Control Transmission Protocol (SCTP) traffic. SCTP is the underlying protocol used for core network signaling in both 4G and 5G environments.

 Example of code mimicking HP Proliant servers (Source: Rapid7)
 Example of code mimicking HP Proliant servers (Source: Rapid7)

By targeting SCTP, hackers bypass traditional IT data and embed themselves directly into the telecommunications signaling plane.

This level of access provides population-scale visibility. It allows threat actors to intercept SMS message contents, capture subscriber identities, and manipulate location data.

By observing specific signaling commands, attackers can actively track the physical movements of individuals of interest.

Hardware and Container Evasion

To ensure long-term survival, BPFdoor mimics legitimate infrastructure components. Rapid7 researchers discovered variants masquerading as enterprise hardware services, specifically targeting high-performance environments like HPE ProLiant servers.

The malware uses process names like hpasmlited to impersonate HPE’s Agentless Management Service. By adopting expected hardware telemetry names, the backdoor blends perfectly into normal operational noise.

Additionally, newer code variants spoof core containerization components. They impersonate Kubernetes pods running critical 5G cloud-native functions, such as the Access and Mobility Management Function (AMF).

This deep-stack evasion makes BPFdoor incredibly difficult to uncover without specialized kernel-level visibility.

Related Articles

Back to top button