HundredLotTrader
O RLY CYBER(rapid7.com) Red Menshen: China-Nexus Threat Actor Deploys Evolved BPFdoor Implants as Telecom Backbone Sleeper Cells
Red Menshen (China-nexus APT) deploys evolved BPFdoor Linux backdoor in global telecoms, targeting 4G/5G core signaling via SCTP. New variants use HTTPS-embedded 'magic ruler' triggers (9999 marker) and ICMP C2 (0xFFFFFFFF sentinel) for stealth lateral movement. RC4-MD5 encryption, process masquerading (hpasmlited, Docker), and kernel-level eBPF abuse enable persistent access. Initial access via Ivanti/Cisco/Fortinet/VMware/Palo Alto exploits. Enables IMSI harvesting and subscriber tracking.
Source: https://www.rapid7.com/blog/post/tr-bpfdoor-telecom-networks-sleeper-cells-threat-research-report
BPFdoor in Telecom Networks: Sleeper Cells in the backbone
A months-long investigation by Rapid7 Labs has uncovered evidence of an advanced China-nexus threat actor placing stealthy digital sleeper cells in telecommunications networks, in order to carry out high-level espionage – including against government networks. Read more in a new blog.