Red Menshen, which is linked to China, uses stealthy BPFDoor implants to spy on telecom networks.

Red Menshen is the name of the threat cluster that is responsible for the campaign This article explores menshen threat cluster. . It is also known as Earth Bluecrow, DecisiveArchitect, and Red Dev 18.

Since at least 2021, the group has been attacking telecom companies in the Middle East and Asia. The campaign uses kernel-level implants, passive backdoors, credential-harvesting tools, and command frameworks that work on multiple platforms. It has two separate parts: One is a passive backdoor that is put on the hacked Linux system to look for a specific "magic" packet in incoming traffic. The attacker runs the other controller, which is in charge of sending the packets in the right format.

The new sample also shows off a "lightweight communication mechanism" that uses the Internet Control Message Protocol (ICMP) to let two infected hosts talk to each other. "Rapid7 said that these results are part of a larger change in how adversaries do their jobs. The company says, "Attackers are embedding implants deeper into the computing stack."

It goes on to say, "Telecom environments—combining bare-metal systems, virtualization layers, high-performance appliances, and containerized 4G/5G core components—provide ideal terrain for low-noise, long-term persistence." It says that implants can avoid traditional endpoint monitoring and stay hidden for long periods of time by blending in with real hardware services and container runtimes. The company says the implants can also be used to attack operating system kernels and infrastructure platforms, not just user-space malware.

It also says that the implants are harder to find than regular malware. You can read the whole report at http://www.dailymail.co.uk/news/technology/article-news/2014/01/29/attackers-are-embedding-implants-deeper-into-the-computing-stack.html.