Stealthy kernel-level backdoors enable long-term surveillance inside telecom networks across the Middle East and Asia
A highly advanced cyber-espionage campaign linked to China-nexus threat actor Red Menshen is targeting telecom networks to gain persistent, covert access to sensitive communications infrastructure. The group, also known as Earth Bluecrow and Red Dev 18, has been operating undetected across the Middle East and Asia since at least 2021.
What makes this campaign particularly concerning is its deep integration into telecom environments. Instead of relying on traditional malware, attackers are embedding stealthy implants within critical systems, effectively turning telecom networks into long-term intelligence platforms.
The Rise of Invisible Backdoors
At the center of this campaign is BPFDoor, a highly evasive Linux backdoor that operates at the kernel level. Unlike conventional malware, BPFDoor does not open listening ports or establish visible command-and-control channels.
Instead, it abuses Berkeley Packet Filter to monitor network traffic directly within the operating system. The implant remains dormant until it receives a specially crafted “magic packet.” Once triggered, it silently activates a remote shell.
As a result, the malware behaves like a hidden trapdoor embedded deep within the system—virtually invisible to traditional detection tools.
Strategic Telecom Infiltration
The attack chain begins with the compromise of internet-facing infrastructure. Threat actors target edge devices and enterprise technologies from major vendors such as Cisco, Fortinet, Palo Alto Networks, and VMware.
Once inside, the attackers deploy a suite of post-exploitation tools, including cross-platform frameworks, keyloggers, and credential harvesters. These tools enable lateral movement, privilege escalation, and long-term persistence across the network.
Additionally, frameworks like CrossC2 and backdoors such as TinyShell allow attackers to maintain flexible control over compromised systems.
Beyond Backdoors: Telecom-Level Surveillance
BPFDoor is not just a persistence mechanism—it is an intelligence-gathering platform. Some variants support telecom-native protocols such as SCTP, enabling attackers to monitor subscriber behavior, track device locations, and potentially surveil individuals of interest.
Moreover, newer variants introduce advanced evasion techniques. For instance, trigger packets are now concealed within legitimate HTTPS traffic, ensuring they blend seamlessly with normal network activity. A specific marker embedded at a fixed byte offset allows the implant to recognize activation commands without raising suspicion.
The malware also incorporates ICMP-based communication between infected systems, further reducing reliance on traditional network channels and enhancing stealth.
A Shift in Adversary Tradecraft
This campaign highlights a broader evolution in cyber warfare. Attackers are no longer operating solely in user space—they are embedding themselves deep within operating system kernels and infrastructure layers.
Telecom environments, with their mix of hardware, virtualization, and containerized 4G/5G systems, provide the perfect landscape for such operations. Consequently, these implants can remain undetected for extended periods while continuously harvesting sensitive data.
What This Means for CISOs and Telecom Operators
For organizations, especially in the UAE and wider GCC region, this development signals a critical need to rethink detection strategies.
Traditional endpoint security tools may fail to identify kernel-level threats. Therefore, organizations must adopt advanced telemetry, network behavior analysis, and threat hunting focused on low-level anomalies.
Additionally, securing edge infrastructure and continuously monitoring east-west traffic within networks becomes essential to detect such stealthy adversaries.