TL;DR The Threat: A highly sophisticated China-nexus threat actor known as Red Menshen (aka Earth Bluecrow, DecisiveArchitect) has successfully compromised major telecommunications providers across Asia and the Middle East. The Weapon: The group utilizes a highly advanced, kernel-level Linux backdoor known as BPFDoor . The Tactic: Unlike traditional malware, BPFDoor operates without open listening ports. It functions as a dormant “sleeper cell,” activating only when a specifically crafted “magic packet” is received. The Impact: The campaign aims at strategic, long-term espionage. Attackers have gained unprecedented visibility into telecom control planes, weaponizing protocols like SCTP to intercept subscriber data, track individual locations, and monitor government communications. The Evolution: Newly discovered variants of BPFDoor by Rapid7 Labs reveal alarming upgrades, including Layer 7 (HTTPS) camouflage via a “magic ruler” mechanism, ICMP tunneling for internal lateral movement, and the ability to masquerade as bare-metal telecom hardware services. The Invisible Trapdoor in the Global Nervous System Telecommunications networks are the central nervous system of the modern global economy. They route sensitive government communications, underpin the operational technology of critical industries, and manage the digital identities of billions of global citizens. When these networks are breached, the blast radius extends far beyond a single corporate entity; it becomes an immediate national security crisis. A months-long, exhaustive investigation by Rapid7 Labs has exposed a chilling reality: an advanced, state-aligned threat actor has spent years quietly embedding some of the stealthiest digital sleeper cells ever discovered directly into the core of the global telecom backbone. Attributed to a China-nexus threat cluster tracked as Red Menshen (also recognized by security researchers as Earth Bluecrow, DecisiveArchitect, and Red Dev 18), this ongoing campaign eschews smash-and-grab data theft. Instead, the objective is profound, persistent strategic positioning. By deploying a devastatingly quiet Linux backdoor known as BPFDoor , Red Menshen has established covert access mechanisms deep inside telecom infrastructure, remaining undetected since at least 2021. This investigative report dissects the methodology of Red Menshen, the terrifying technical elegance of BPFDoor, and the severe implications for global communications security. Architecture diagram of a telecommunications network showing vulnerabilities at the edge and core control planes Unmasking Red Menshen and the Strategic Targeting of Telecoms To understand the severity of this threat, one must understand the target. Modern telecommunications networks are highly complex, layered ecosystems. They consist of customer-facing edge infrastructure such as mobile base stations (RAN), broadband gateways, and security appliances which feed into the operator’s IP core. Deeper still is the control plane. This is the heart of the telecom network, housing subscriber management systems (HLR/HSS/UDM), authentication platforms (AuC), and lawful intercept capabilities. These systems coordinate identity and mobility across international borders using specialized signaling protocols like SS7, Diameter, and SCTP. Red Menshen’s operations are surgically aimed at this control plane. The group’s modus operandi is not isolated intrusion but the establishment of a repeatable campaign model. By embedding persistent access at the infrastructure layer, Red Menshen gains capabilities that border on science fiction: visibility into raw subscriber identifiers, the interception of authentication exchanges, and the monitoring of sensitive communications involving high-value geopolitical targets. They are not just hacking servers; they are inhabiting the mechanisms that route national communications. How the Attack Chains Begin The intrusion into a multi-billion-dollar telecom provider rarely begins with a Hollywood-style assault on the core database. Instead, Red Menshen leverages the reality of sprawling corporate attack surfaces. The threat actors systematically target internet-facing infrastructure and exposed edge services. According to threat intelligence, the initial access vectors frequently rely on the exploitation of public-facing applications (MITRE ATT&CK T1190) and the abuse of valid accounts (T1078). Primary initial access targets include: VPN Appliances: Ivanti Connect Secure. Network Edge Devices: Cisco IOS and Juniper Networks (JunOS) devices. Security Infrastructure: Fortinet firewalls and Palo Alto Networks appliances. Virtualization and Web Platforms: VMware ESXi hosts and Apache Struts. These devices sit directly on the boundary between the chaotic public internet and the highly sensitive internal telecom environment. Crucially, compromises at this layer often fail to trigger traditional endpoint detection and response (EDR) mechanisms, providing Red Menshen w...