A sophisticated China-nexus threat actor has been found embedding digital sleeper cells inside telecom networks across multiple countries. According to a recent report from cybersecurity firm Rapid7, the group is leveraging a stealthy Linux-based backdoor known as BPFdoor to carry out long-term espionage operations.
Who Is Behind the Campaign?
Researchers are tracking the threat actor as Red Menshen, a group believed to be linked to China. While the campaign shares similarities with previously known operations, such as those conducted by Volt Typhoon and Salt Typhoon, experts say the tactics have evolved significantly.
Unlike traditional attacks that focus on immediate disruption, this campaign appears to prioritize persistence and intelligence gathering. As a result, attackers can remain undetected for extended periods while monitoring sensitive systems.
How BPFdoor Enables Stealth Attacks
At the center of this campaign is BPFdoor, a malicious implant based on the Berkeley Packet Filter (BPF) framework in Linux systems. Essentially, it acts as a hidden trapdoor within the operating system kernel.
What makes BPFdoor particularly dangerous is its ability to operate without leaving obvious traces. For example:
- It avoids using traditional command-and-control channels
- It does not open visible network ports
- It blends into normal system-level operations
Because of these capabilities, attackers can maintain long-term access without triggering most security detection tools.
Why Telecom Networks Are Prime Targets
Telecom infrastructure holds vast amounts of sensitive data, making it a high-value target for espionage. By infiltrating these networks, attackers can gain access to:
- Subscriber information
- Communication metadata
- Signaling systems
- Critical infrastructure operations
According to Rapid7, this level of access allows threat actors to monitor communications and gather intelligence on a large scale. In some cases, this may include tracking high-profile individuals or government-related activity.
Links to Previous China-Nexus Campaigns
This latest activity builds on patterns seen in earlier campaigns. For instance, Volt Typhoon was previously linked to efforts aimed at maintaining persistent access to U.S. networks. Similarly, Salt Typhoon reportedly remained embedded in major telecom systems for years, collecting sensitive communication data.
However, the use of BPFdoor highlights a shift toward more advanced and stealth-driven techniques. This suggests a long-term strategic focus rather than short-term disruption.
What Security Teams Should Do
Given the stealthy nature of these attacks, traditional security measures may not be enough. Instead, organizations should focus on deeper system visibility and proactive threat hunting.
Security experts recommend monitoring for:
- Unusual raw socket activity
- Anonymous packet-filtering behavior
- Service masquerading on Linux systems
Additionally, strengthening detection capabilities at the kernel level can help identify hidden threats like BPFdoor before they cause significant damage.