Red Menshen

Red Menshen is a China-linked advanced persistent threat group associated with long-term espionage activity, particularly against telecommunications providers. It is also tracked as Earth Bluecrow, DecisiveArchitect, and Red Dev 18. Reporting in the provided content describes the group as state-sponsored or China-nexus and attributes to it sustained operations since at least 2021. The group is strongly associated with BPFDoor, a stealthy Linux backdoor used for covert persistence, lateral movement, and long-term access. BPFDoor abuses Berkeley Packet Filter functionality to inspect traffic in the kernel and activates only on specially crafted trigger packets rather than exposed listening ports, which makes it difficult to detect. Reported capabilities include spawning bind or reverse shells, using attacker-controlled controllers to trigger implants across internal hosts, and supporting ICMP-based control signaling. Newer variants described in the content hide triggers inside legitimate HTTPS traffic, use fixed-byte-offset markers such as "9999," and in some cases support SCTP inspection relevant to telecom environments. The group has also used additional tooling including CrossC2, TinyShell, Sliver, keyloggers, brute-force tools, credential interception utilities, and custom sniffers. Victim sectors directly mentioned in the content include telecommunications, government, defense, critical infrastructure, finance, retail, and education. Geographic targeting and victim locations mentioned include the Middle East, Asia, Africa, Europe, South Korea, Hong Kong, Myanmar, Malaysia, Egypt, and Taiwan. Multiple reports emphasize telecom-focused strategic positioning, including covert sleeper-cell implants embedded in telecom infrastructure and potential access to sensitive communications and telecom-native traffic. Initial access activity described in the content includes exploitation of exposed edge services and use of valid accounts on VPNs, firewalls, virtualization hosts, and other internet-facing infrastructure. Named technologies and vendors mentioned as targeted for initial access include Ivanti Connect Secure, Cisco, Juniper Networks, Fortinet, VMware ESXi, Palo Alto Networks, and Apache Struts. The group is also described as disguising BPFDoor as legitimate HPE ProLiant or Kubernetes-related processes to blend into telecom and 5G environments. The content also notes prior reporting linking Red Menshen activity to BPFDoor targeting in telecommunications, finance, and retail organizations in South Korea, Hong Kong, Myanmar, Malaysia, and Egypt, and references suspected compromise of several hundred routers in Taiwan used as proxies.