Rapid7's research reveals China-linked kernel implants deep inside telecom signaling infrastructure. Here's what BPFdoor is, how it evolved, and what defenders need to do now.
Key Takeaways:
- BPFdoor is a kernel-level Linux backdoor used by the China-nexus group Red Menshen to maintain long-term, undetectable access inside telecom infrastructure
- New variants have evolved significantly from simple magic packet triggers to HTTPS-embedded activation and SCTP signaling protocol filtering targeting 4G and 5G core networks
- This operates deeper than Salt Typhoon, which targeted the IT layer. Red Menshen is embedded in the kernel of systems that are the telecom backbone
- Dark web intelligence found no evidence of BPFdoor being traded as commodity tooling, suggesting the operational complexity keeps it in the hands of nation-state actors
- The FCC's foreign router ban addresses supply chain risk at the edge, but the adversary is already past the edge and inside the signaling core
Three days ago, the FCC banned imports of new foreign-made consumer routers, citing Volt Typhoon, Flax Typhoon, and Salt Typhoon by name. China controls roughly 60 percent of the U.S. home router market, so the supply chain risk is real and that move was overdue. But the same week the government locked down the front door, Rapid7 published research showing a China-nexus group has been living inside the signaling core of telecom networks for what appears to be years. The policy is catching up to one problem while the adversary has already moved on to the next.
What Is BPFdoor? Pre-Positioned Access, Not Smash-and-Grab
The implant at the center of Rapid7's research is BPFdoor, a backdoor that abuses Berkeley Packet Filter to inspect network traffic inside the Linux kernel itself. It doesn't open ports, doesn't beacon home, doesn't show up in netstat or any standard monitoring tool. It sits completely dormant until the operator sends a specifically crafted packet, and then it activates a remote shell.
From an intelligence standpoint, this looks like pre-positioned access. The kind you build and maintain when you want the option to observe or disrupt at a time of your choosing. This isn't a criminal operation optimized for speed and monetization. The patience and the targeting profile point to an adversary playing a longer game.
The group behind it, Red Menshen, has been deploying samples that mimic HPE ProLiant hardware management daemons and Docker container processes. They know exactly what infrastructure they're sitting on and they're hiding in the operational noise of telecom-grade environments.
How BPFdoor Evolved: From Magic Packets to HTTPS Triggers
BPFdoor has been documented since 2021 and the source code leaked publicly in 2022. The current variants are dangerous because the tradecraft has evolved considerably since then. Earlier versions used simple "magic packet" triggers over TCP or UDP, effective but detectable if you knew what to look for. The new variants hide their activation triggers inside legitimate HTTPS traffic that passes cleanly through TLS termination and reverse proxies before reaching the implant. Rapid7 describes a "magic ruler" technique where mathematical padding ensures the command marker always lands at a fixed byte offset regardless of how proxy layers modify the headers. That's tradecraft designed to survive modern enterprise security stacks, not amateur tooling someone pulled off a leak site.
The bigger evolution is SCTP filtering. SCTP is the signaling protocol that coordinates subscriber identity, device authentication, and call routing across 4G and 5G core networks. By filtering this traffic at the kernel level, the operators can observe subscriber identifiers and authentication exchanges without touching the applications or databases that defenders typically monitor. The report also documents ICMP tunneling between compromised hosts for lateral movement, and that's traffic most SOCs don't inspect at all.
BPFdoor vs. Salt Typhoon: Kernel-Level Access Changes Everything
Salt Typhoon compromised nine US telecoms in 2024 and eventually hit 200 companies worldwide. That campaign was serious, but it operated from the IT layer. Stealing call records, accessing lawful intercept systems, moving through the enterprise side of the network. Red Menshen is operating below that. The implants are embedded inside the kernel of systems that ARE the telecom infrastructure, not systems that connect to it. They're mimicking hardware daemons on bare-metal ProLiant servers and container runtimes in Kubernetes pods running 5G core network functions. They're not breaking into the house. They're living in the walls.
For defenders, it changes where you have to look. Salt Typhoon could be detected with strong EDR and network monitoring at the application layer. This requires visibility into the kernel itself. BPF filter enumeration, raw socket auditing, process integrity validation on hardware management services.
BPFdoor Dark Web Intelligence: What the Underground Tells Us
When we ran our own dark web intelligence against BPFdoor through our threat intelligence platform, it wasn't showing up in underground markets or being offered as commodity tooling. The source code has been public for three years, but our searches across forums, Telegram channels, and paste sites over the past 180 days turned up discussion almost entirely confined to the security research community. That doesn't mean nobody outside a state program has picked it up, but the operational complexity of deploying kernel-level implants inside telecom signaling infrastructure makes it hard to operationalize. This isn't something a ransomware crew is going to bolt onto their toolkit. The organizations being targeted are dealing with an adversary that has the resources and the patience to maintain these implants across years.
How to Detect BPFdoor: Where Telecom Security Teams Need to Focus
Telecom security teams need to expand visibility below the application layer. Priority detection actions include:
- Monitor for anomalous BPF filters attached to sockets that shouldn't have them
- Audit raw socket usage and flag unexpected processes opening raw sockets
- Validate process integrity on hardware management services, particularly HPE ProLiant hpasmlited and similar daemons
- Run a BPFdoor detection scanner like snapattack's bpfdoor-scanner on any Linux infrastructure in telecom environments
- Implement SCTP traffic monitoring in 4G and 5G core environments as a security function, not just a network engineering responsibility
- Inspect ICMP traffic between internal hosts for tunneling patterns that indicate lateral command propagation
If your SOC doesn't have visibility into signaling plane traffic, you have a blind spot that this adversary is specifically exploiting.
The FCC's router ban addresses a real supply chain vulnerability at the network edge. But Rapid7's research shows the adversary isn't waiting at the edge. They're already inside the infrastructure that makes the network function, and finding them requires looking in places most defenders haven't been watching.
Frequently Asked Questions
What is BPFdoor malware? BPFdoor is a Linux kernel-level backdoor that abuses Berkeley Packet Filter (BPF) to passively monitor network traffic without opening ports or generating detectable network signatures. It remains dormant until activated by a specially crafted "magic packet," at which point it opens a remote shell for the operator. It has been linked to the China-nexus threat group Red Menshen and is primarily used against telecom infrastructure.
How is BPFdoor different from other backdoors? Unlike most backdoors that open listening ports or beacon to command-and-control servers, BPFdoor operates entirely within the Linux kernel and produces no visible network footprint. Newer variants embed their triggers inside legitimate HTTPS traffic and can filter SCTP signaling protocols used in 4G and 5G core networks, giving operators visibility into subscriber identity and authentication data.
Can BPFdoor be detected? Yes, but it requires looking below the application layer. Defenders should monitor for unexpected BPF filters on sockets, anomalous raw socket usage, and processes masquerading as legitimate hardware management services. Community-developed tools like snapattack's bpfdoor-scanner can identify BPFdoor implants by exploiting the malware's heartbeat response behavior, and YARA rules are available for binary detection.
Is BPFdoor available on the dark web? Based on Suzu Labs' dark web intelligence searches over the past 180 days, we found no evidence of BPFdoor being actively traded or offered as commodity tooling in underground markets despite the source code being public since 2022. The operational complexity of deploying it effectively inside telecom kernel infrastructure likely limits its use to well-resourced state-sponsored actors.
Sources:
- Rapid7 - BPFdoor in Telecom Networks: Sleeper Cells in the Backbone
- SecurityWeek - Chinese Hackers Caught Deep Within Telecom Backbone Infrastructure
- Trend Micro - Detecting BPFDoor Backdoor Variants
- Security Boulevard - APT Group Red Menshen Rapidly Evolving BPFDoor
- TechCrunch - Salt Typhoon Global Telecom Hacks
- Suzu Labs BitSight CTI dark web intelligence (3 searches, 476 total results across BPFdoor/Red Menshen activity, telecom backdoor markets, and SCTP/SS7 signaling exploit chatter)
Dark Web Intelligence Summary
BPFdoor discussion across dark web forums, Telegram channels, and paste sites is overwhelmingly confined to the cybersecurity research community rather than criminal marketplaces. Despite the source code leaking publicly in 2022, our searches over the past 180 days didn't turn up BPFdoor variants being actively traded or advertised in underground markets. That's not conclusive on its own, but combined with the operational complexity of deploying kernel-level implants inside telecom signaling infrastructure, it suggests this capability is more likely limited to well-resourced state actors than spreading through the commodity malware ecosystem.
.png)
