Red Menshen

Red Menshen is a China-linked, state-sponsored advanced persistent threat cluster associated with long-term espionage activity, primarily against telecommunications providers. It is also tracked as Earth Bluecrow, DecisiveArchitect, and Red Dev 18. Reporting in the provided content states the group has targeted telecom networks mainly in the Middle East and Asia since at least 2021, with additional victim organizations and activity noted in government, defense, critical infrastructure, finance, retail, education, and logistics sectors. Mentioned affected locations include South Korea, Hong Kong, Myanmar, Malaysia, Egypt, Türkiye, and broader regions including the Middle East, Africa, Asia-Pacific, Europe, and Asia. A central tool attributed to Red Menshen is BPFDoor, a stealth Linux backdoor, with some reporting also noting Solaris targeting. BPFDoor abuses Berkeley Packet Filter functionality to inspect traffic inside the kernel, remains dormant until it receives specially crafted trigger packets, and avoids exposing listening ports or conventional command-and-control traffic. The content describes newer BPFDoor variants as hiding activation triggers inside legitimate HTTPS traffic, using fixed-byte-offset markers such as "9999," employing 26-byte or 40-byte padding mechanisms, supporting ICMP-based relay/control messaging including a 0xFFFFFFFF terminal marker, and in some cases inspecting SCTP traffic relevant to telecom signaling. The malware has also been described as disguising itself as legitimate HPE ProLiant, Docker, containerd, Kubernetes, or related telecom/5G processes to evade detection. The provided reporting states Red Menshen commonly gains initial access through exploitation of exposed edge infrastructure and internet-facing services, including VPNs, firewalls, routers, virtualization hosts, and web-facing platforms associated with Ivanti, Cisco, Juniper Networks, Fortinet, VMware ESXi, Palo Alto Networks, Apache Struts, and compromised accounts. Post-compromise tooling mentioned in the content includes CrossC2, Sliver, TinyShell, keyloggers, brute-force utilities, custom sniffers, credential interception tools, SSH brute-forcers, and custom ELF keyloggers. The group is described as using these capabilities for stealthy persistence, credential harvesting, lateral movement, and long-term pre-positioning inside telecom environments. The content attributes to Red Menshen a strategic focus on covert, low-noise access embedded deep in telecom infrastructure, potentially enabling surveillance of government communications, subscriber behavior, location, authentication exchanges, and other sensitive telecom data. PwC reporting in the content also states that analysis of Red Menshen-related infrastructure led to the discovery of the suspected compromise of several hundred routers in Taiwan used as proxies.