Executive Summary
According to a released report from Rapid7 Labs, Chinese threat actor Red Menshen is targeting telecommunication networks in undisclosed regions with the goal of carrying out espionage against corporate and government agencies. This campaign, reported on 26 March 2026, has been a long-term operation gaining access to telecom critical environments for an extended period of time. Rapid7 Labs research discloses that these threat actors are utilizing a new version of the malware BPFdoor, a Linux backdoor capable of disguising itself as legitimate HTTPS traffic, to operate within the operating system kernel.
Key Takeaways
- The threat actors are targeting telecom operating system kernels by utilizing BPFdoor.
- It is unclear which version(s) of Linux this malware affects.
- Observed tools included: Sliver, CrossC2, and TinyShell.
- The threat actors used SSH brute force and custom ELF based keyloggers to gain initial access.
- The new variant of BPFdoor is able to create ICMP payload malware before the packet is transmitted back to its destination.
Detection/IOCs
Rapid7 Labs researchers have developed a script to detect BPFdoor malware.
Rapid7 Labs also provided a list of indicators of compromises related to BPFdoor:
- Rapid7 variant G (3 times 229 BPF instructions)-
- ed768dd922742a597257ad684820d7562bb6be215710ec614bd041a22f3d6863
- Rapid7 variant M (0x7255,0xDEAD, 30 BPF instructions, spoofing containerd, /lib/systemd/systemd-resolved, usr/sbin/cron -f -P)-
- 785538b21bf8c9f142bb5565f42d5da5e5150dea63eddd5c1b714dc6306c96ae
- Rapid7 controller-
- 29e1b75c659eabbd9977867f1adc876df2c11c1ae411fade20a0561f58f64baf
- 123eb70723e4a186fa83ea5760a1ae0e16cffd76a62e6464d5b79b8d0979a7a
- 7adfdd11d69f4e971c87ca5b2073682d90118c0b3a3a9f5fbbda872ab1fb335c6
- 2025 samples-
- 3e01a4bd73b3567f59bd80c7349e3b7ce85c15a6d94016ddfcd0bf3f239684dc
- dcb4872d437a14dc814015bf749fb2caf4cc5cb1776118c7e1748a4f657b303e
- 3b071d36ffa393a8891832590304b21ee9017b4977a747917e6c6116596851da
- 1f4bde6295973e54ca0bb67c532095559bed024186219d8d0b4323b9750d82f2
