An extended-term and ongoing marketing campaign attributed to a China-nexus risk actor has embedded itself in telecom networks to conduct espionage towards authorities networks.
The strategic positioning exercise, which entails implanting and sustaining stealthy entry mechanisms inside vital environments, has been attributed to Crimson Menshen, a risk cluster that is additionally tracked as Earth Bluecrow, DecisiveArchitect, and Crimson Dev 18. The group has a monitor document of placing telecom suppliers throughout the Center East and Asia since a minimum of 2021.
Rapid7 described the covert entry mechanisms as “some of the stealthiest digital sleeper cells” ever encountered in telecommunications networks.
The marketing campaign is characterised by means of kernel-level implants, passive backdoors, credential-harvesting utilities, and cross-platform command frameworks, giving the risk actor the flexibility to persistently inhabit networks of curiosity. Some of the acknowledged instruments in its malware arsenal is a Linux backdoor referred to as BPFDoor.
“Unlike conventional malware, BPFdoor does not expose listening ports or maintain visible command-and-control channels,” Rapid7 Labs mentioned in a report shared with The Hacker Information. “Instead, it abuses Berkeley Packet Filter (BPF) functionality to inspect network traffic directly inside the kernel, activating only when it receives a specifically crafted trigger packet.”
“There is no persistent listener or obvious beaconing. The result is a hidden trapdoor embedded within the operating system itself.”
The assault chains start with the risk actor focusing on internet-facing infrastructure and uncovered edge companies, equivalent to VPN home equipment, firewalls, and web-facing platforms related to Ivanti, Cisco, Juniper Networks, Fortinet, VMware, Palo Alto Networks, and Apache Struts, to acquire preliminary entry.
Upon gaining a profitable foothold, Linux-compatible beacon frameworks equivalent to CrossC2 are deployed to facilitate post-exploitation actions. Additionally dropped are Sliver, TinyShell (a Unix backdoor), keyloggers, and brute-force utilities to facilitate credential harvesting and lateral motion.
Central to Crimson Menshen’s operations, nevertheless, is BPFDoor. It options two distinct parts: One is a passive backdoor deployed on the compromised Linux system to examine incoming visitors for a predefined “magic” packet by putting in a BPF filter and spawning a distant shell upon receiving such a packet. The opposite integral a part of the framework is a controller that is administered by the attacker and is liable for sending the specifically formatted packets.
“The controller is also designed to operate within the victim’s environment itself,” Rapid7 defined. “In this mode, it can masquerade as legitimate system processes and trigger additional implants across internal hosts by sending activation packets or by opening a local listener to receive shell connections, effectively enabling controlled lateral movement between compromised systems.”
What’s extra, sure BPFDoor artifacts have been discovered to assist the Stream Management Transmission Protocol (SCTP), doubtlessly enabling the adversary to watch telecom-native protocols and achieve visibility into subscriber habits and placement, and even monitor people of curiosity.
These points exhibit that the performance of BPFdoor goes past a stealthy Linux backdoor. “BPFdoor functions as an access layer embedded within the telecom backbone, providing long-term, low-noise visibility into critical network operations,” the safety vendor added.
It would not finish there. A beforehand undocumented variant of BPFdoor incorporates architectural adjustments to make it extra evasive and keep undetected for extended intervals in fashionable enterprise and telecom environments. These embrace concealing the set off packet inside seemingly official HTTPS visitors and introducing a novel parsing mechanism that ensures the string “9999” seems at a hard and fast byte offset throughout the request.
This camouflage, in flip, permits the magic packet to remain hidden inside HTTPS visitors and keep away from inflicting shifts to the place of knowledge contained in the request, and permits the implant to all the time test for the marker at a particular byte offset and, if it is current, interpret it because the activation command.
The newly found pattern additionally debuts a “lightweight communication mechanism” that makes use of the Web Management Message Protocol (ICMP) for interacting between two contaminated hosts.
“These findings reflect a broader evolution in adversary tradecraft,” Rapid7 mentioned. “Attackers are embedding implants deeper into the computing stack — targeting operating system kernels and infrastructure platforms rather than relying solely on user-space malware.”
“Telecom environments — combining bare-metal systems, virtualization layers, high-performance appliances, and containerized 4G/5G core components — provide ideal terrain for low-noise, long-term persistence. By blending into legitimate hardware services and container runtimes, implants can evade traditional endpoint monitoring and remain undetected for extended periods.”
