Over the last few years, cybersecurity researchers have uncovered a concerning pattern: highly sophisticated threat actors are quietly embedding themselves deep within global telecommunications infrastructure. Among these actors is a China-linked group often referred to as Red Menshen, known for deploying extremely stealthy persistence mechanisms that operate almost invisibly.
Unlike traditional cyberattacks that focus on quick data theft or disruption, these operations are built for patience. The attackers aim to remain hidden for long periods, positioning themselves strategically to monitor communications, gather intelligence, and potentially influence critical systems when needed.
Telecommunications networks are not just another industry target. They form the backbone of modern digital society. Everything from government communications to financial transactions and personal identity systems relies on them. When these networks are compromised, the impact extends far beyond a single organization—it affects entire nations.
Why Telecom Infrastructure Is a Prime Target
Telecom networks offer something few other environments can: centralized visibility into massive amounts of sensitive data. These systems handle subscriber identities, location tracking, authentication processes, and communication metadata on a global scale.
Modern telecom architecture is highly complex. It consists of multiple interconnected layers, including routing systems, authentication services, billing platforms, roaming databases, and signaling protocols such as SS7, Diameter, and SCTP. These components work together to ensure seamless connectivity across regions and borders.
If an attacker gains persistent access within this ecosystem, the possibilities go far beyond a typical breach. They could monitor user movements, intercept communication metadata, and track high-value individuals. In extreme cases, this level of access could enable long-term intelligence collection at a population scale.
A Pattern of Coordinated Campaigns
What initially appeared to be isolated incidents across different countries is now being recognized as part of a larger, structured campaign. The activity attributed to Red Menshen shows clear signs of long-term planning and repeatable techniques.
Rather than launching short-lived attacks, the group focuses on embedding themselves deeply into telecom environments. Their approach resembles planting “digital sleeper cells”—hidden access points that remain dormant until activated.
Across multiple investigations, researchers have identified recurring elements in these intrusions. These include kernel-level implants, passive backdoors, credential harvesting tools, and cross-platform command frameworks. Together, these tools create a persistent layer of access designed not just to infiltrate networks, but to live inside them.
BPFdoor: A New Level of Stealth
At the center of these operations is a particularly advanced tool known as BPFdoor. This is not typical malware. Instead of running as a visible process or opening network ports, it operates directly within the Linux kernel.
BPFdoor leverages Berkeley Packet Filter (BPF) technology, which is normally used for network traffic inspection. However, in this case, it is repurposed to silently monitor incoming packets. The malware only activates when it detects a specially crafted “magic packet.”
This design makes it extremely difficult to detect. There are no open ports, no regular communication with command-and-control servers, and no obvious signs of compromise. To most monitoring tools, the system appears completely normal.
When triggered, however, the backdoor can instantly open a shell or establish a remote connection. It behaves like a hidden lock that only responds to a specific key.
How Attackers Get Inside Telecom Networks
Despite the sophistication of their persistence mechanisms, attackers typically begin with more conventional entry points. They target internet-facing systems such as VPN appliances, firewalls, and network devices.
Common techniques include exploiting vulnerabilities in public-facing applications and using stolen credentials to gain access. Devices from vendors like Ivanti, Cisco, Fortinet, VMware, and Palo Alto are frequently targeted because they sit at the boundary between external traffic and internal infrastructure.
Once inside, attackers deploy additional tools to expand their access. Frameworks like CrossC2 allow them to execute commands and move laterally within Linux environments. TinyShell, another commonly used tool, provides a stealthy backdoor with minimal network footprint.
To strengthen their position, attackers often deploy keyloggers and brute-force tools. These are sometimes customized with telecom-specific terminology, indicating a deep understanding of the target environment.
Persistence and Lateral Movement
After gaining initial access, the attackers focus on maintaining long-term control. This is where tools like BPFdoor become critical. By embedding themselves at the kernel level, they can survive system reboots and evade many traditional detection methods.
The attackers also use their foothold to move deeper into the network. Their goal is to reach control-plane systems where subscriber data and signaling operations are managed. These systems represent the core of telecom functionality and provide the highest value for intelligence gathering.
Targeting the Signaling Layer
One of the most alarming aspects of this campaign is its focus on telecom signaling protocols, particularly SCTP. Unlike typical enterprise traffic, SCTP is used in core telecom operations, including 4G and 5G networks.
By monitoring or manipulating this traffic, attackers can gain insights into subscriber activity. This includes location tracking, identity information, and communication metadata.
In some cases, this access could allow attackers to track individuals in real time. It represents a shift from traditional cyber espionage toward large-scale surveillance capabilities.
Advanced Evasion Techniques
The attackers employ several clever techniques to remain undetected. One method involves mimicking legitimate system processes. For example, some BPFdoor variants use names similar to trusted hardware management services found on enterprise servers.
This tactic helps the malware blend into normal system activity, reducing the likelihood of detection during routine checks.
Another strategy involves disguising the malware as container-related processes. Since many telecom systems now rely on containerized environments, this allows the attackers to hide within modern infrastructure frameworks.
Threat Intelligence Report Format
Threat Actor
Red Menshen (China-nexus advanced persistent threat group)
Target Sector
Global telecommunications providers and associated infrastructure
Attack Objective
Long-term espionage, subscriber tracking, and access to sensitive communications
Key Techniques Observed
- Kernel-level persistence via BPFdoor
- Exploitation of edge infrastructure (VPNs, firewalls, routers)
- Credential harvesting and lateral movement
- Use of passive backdoors and stealth command frameworks
- Monitoring of telecom signaling protocols (SS7, Diameter, SCTP)
Tools and Malware
- BPFdoor (kernel-level backdoor)
- CrossC2 (Linux post-exploitation framework)
- TinyShell (passive backdoor)
- Custom keyloggers and brute-force tools
Impact Assessment
The compromise of telecom infrastructure enables large-scale surveillance, access to sensitive metadata, and potential disruption of critical communication systems. The threat extends beyond individual organizations to national security levels.
Our Opinion
What makes this case particularly significant is not just the technical sophistication of the tools involved, but the strategic intent behind them. This is not a typical cyberattack driven by immediate financial gain or short-term disruption. Instead, it reflects a long-term investment in positioning, patience, and intelligence gathering.
The use of kernel-level implants like BPFdoor signals a shift in how advanced threat actors approach persistence. By operating below the visibility of most security tools, these attackers are effectively bypassing many of the defenses organizations rely on today. It highlights a growing gap between traditional detection methods and the evolving tactics of state-aligned groups.
Another important aspect is the clear focus on telecommunications infrastructure. This is not accidental. Telecom networks provide unmatched access to data flows, user identities, and communication patterns. In many ways, they represent the most valuable vantage point in the digital ecosystem. Gaining access here is equivalent to having a surveillance capability at a national or even global scale.
The level of environment awareness shown by the attackers is also notable. From mimicking hardware-specific processes to understanding telecom-specific protocols, it is evident that these operations are carefully planned and tailored. This is not generic malware being deployed randomly—it is precision targeting.
From a defensive perspective, this case raises serious concerns. Many organizations still lack visibility into kernel-level activities and low-level network behavior. Traditional endpoint detection solutions are often not designed to detect threats operating at this depth. As a result, attackers can remain undetected for extended periods.
Moving forward, there needs to be a shift in how security is approached in critical infrastructure sectors. Greater emphasis must be placed on deep system monitoring, anomaly detection at the network level, and collaboration between private organizations and government agencies.
Ultimately, this case serves as a reminder that cybersecurity is no longer just about protecting data. It is about safeguarding the systems that underpin modern society. When those systems are compromised, the consequences can extend far beyond what most organizations are prepared to handle.
