BPFDoor Is Living Inside Telecom Networks — And It's Getting Harder to See

Rapid7 dropped a new report today on Red Menshen, the China-linked threat group that has been quietly embedded inside telecommunications infrastructure since at least 2021. The headline tool: BPFDoor, a Linux backdoor that Rapid7 describes as creating "hidden trapdoors embedded within the operating system itself."

This is not new malware. What's new is a previously undocumented variant — more evasive, harder to detect, and showing signs of expansion beyond its original design.

What BPFDoor Actually Does

Most backdoors give themselves away. They open ports, beacon home, create unusual connections. BPFDoor does none of that.

Instead, it installs a Berkeley Packet Filter at the kernel level and silently inspects every packet that crosses the interface. When a specially crafted "magic" packet arrives — one that no port scanner will see, because nothing is listening — BPFDoor activates and spawns a remote shell.

"There is no persistent listener or obvious beaconing," Rapid7 wrote. "The result is a hidden trapdoor embedded within the operating system itself."

Your network monitoring is watching processes, connections, and ports. BPFDoor lives inside the kernel before any of that visibility starts.

The New Variant Is More Surgical

The freshly documented sample layers on additional concealment. The magic packet is now hidden inside what looks like legitimate HTTPS traffic. The activation marker — the string "9999" — appears at a fixed byte offset within the request, giving the implant a precise trigger to check without pattern-matching on content that might trip detection logic.

Communication between infected hosts uses ICMP rather than TCP or UDP, which is rarely monitored at the same depth and generates minimal log noise.

Red Menshen's controller — the attacker-side tool used to activate implants — is also designed to run *from inside the victim environment*. It can masquerade as a legitimate system process, send activation packets to other internal hosts, and open local listeners to receive shell connections. Lateral movement without external traffic.

What They're After

The group's focus on telecom infrastructure adds a dimension that goes beyond standard espionage. Several BPFDoor artifacts found by Rapid7 include support for the Stream Control Transmission Protocol (SCTP), which is native to telecom signaling systems. That capability potentially gives Red Menshen visibility into subscriber behavior, location data, and movement tracking.

That's not corporate espionage. That's signals intelligence.

How They Get In

The initial access playbook is standard-issue — and effective because these vulnerabilities exist in virtually every large network perimeter. Red Menshen exploits internet-facing edge devices: VPN appliances, firewalls, and web-exposed platforms from Ivanti, Cisco, Juniper Networks, Fortinet, VMware, Palo Alto Networks, and Apache Struts.

Once inside, the toolkit expands: CrossC2 and Sliver for post-exploitation, TinyShell as a Unix backdoor, keyloggers, and brute-force utilities for credential harvesting and lateral movement. BPFDoor gets deployed as the long-term persistence mechanism — the one that's meant to stay quiet while everything else comes and goes.

CybrPulse has tracked 177 BPFDoor-related articles across our security feeds since early 2026, a sustained volume that reflects active researcher attention rather than a one-time discovery.

Detection Just Got a Little More Possible

Alongside today's report, Rapid7 released a scanning script specifically for detecting BPFDoor implants in Linux systems. HelpNet Security reported that the tool is targeted at telecommunications providers, who have been dealing with China-linked APT intrusions for years with limited detection options.

The script gives defenders a concrete starting point, but there's a catch: BPFDoor is a kernel-level implant. By the time you're running detection scripts, you're already in incident response territory. The harder problem is stopping it from getting in.

What to Do Now

If you're running any of the affected edge platforms — Ivanti, Cisco ASA, Juniper, Fortinet, VMware, Palo Alto, Apache Struts — the priority is the same one it's been all year: keep them patched and audit your exposed services. These are the doors Red Menshen walks through.

Beyond that, deploy Rapid7's detection script on Linux systems, particularly those in telecom environments or anywhere you run infrastructure that processes network traffic at scale. Review ICMP traffic patterns — the new BPFDoor variant uses ICMP for inter-host communication, and that's detectable if you're logging it.

Monitor for BPF filter installation events. Tools like `bpftool prog list` can show what filters are running at the kernel level. If you see filters you don't recognize, treat it as compromise until proven otherwise.

Red Menshen has been patient. They've been inside some of these networks for five years. The window where passive monitoring catches up to kernel-embedded implants is narrow, but it's open right now.

*Sources: Rapid7 Labs, The Hacker News, HelpNet Security*