Back to Intelligence

Red Menshen BPFdoor: Telecom Linux Backdoor Detection and Eradication

SA
Security Arsenal Team
April 11, 2026
7 min read

A months-long investigation by Rapid7 Labs has confirmed what we in the IR community have feared: nation-state actors have successfully embedded sleeper cells within the core of global telecommunications infrastructure. The threat actor, tracked as Red Menshen (China-nexus), is utilizing a highly sophisticated Linux backdoor named BPFdoor. This isn't standard commodity malware; it is a purpose-built tool designed to persist in the "nervous system" of the internet—telecom ISP networks—with near-total stealth.

The stakes are critical. BPFdoor provides covert access capable of intercepting government communications, redirecting traffic, and facilitating large-scale espionage. Because the malware hooks into the kernel’s Berkeley Packet Filter (BPF), it can sniff network traffic and await "magic packets" without opening a standard listening port, rendering traditional port-scanning defenses useless. Defenders in the telecom sector and those managing critical Linux edge infrastructure must assume breach and actively hunt for this specific TTP.

Technical Analysis

Affected Products & Platforms:

  • Platform: Linux-based systems, specifically hardened networking appliances (routers, gateways, switches) and Linux servers within telecom service provider environments.
  • Specific Targets: While hardware vendors aren't explicitly named in the advisory as "vulnerable" in the CVE sense, the threat targets interfaces common in Huawei, Cisco, Juniper, and other Linux-based networking gear.

Malware Mechanics (BPFdoor):

  • Attack Vector: Initial access is typically gained via exploiting vulnerabilities in public-facing services or utilizing weak/default credentials on edge devices.
  • Persistence: BPFdoor establishes persistence by modifying crontab, rc.local, or replacing system binaries (like sshd or crond). Some variants deploy as a shared object (/lib/libpam2g.so) or a hidden binary in /dev/shm or /var/tmp.
  • Stealth & C2: The backdoor uses raw socket capabilities and BPF filters to attach to the network interface. It does not bind to a specific port. Instead, it passively inspects all packets for a specific "magic packet" sequence (often arriving on common ports like UDP 53, 123, or TCP 80/443). Upon detection, it activates a reverse shell or bind shell, beaconing out to the attacker.
  • Process Masquerading: To evade casual inspection, the malware often renames its running process to mimic kernel threads, such as [ksoftirqd/0], [kworker/u2:0], or [nfsd].

Exploitation Status:

  • Confirmed Active Exploitation: Yes. Rapid7 has observed active command-and-control (C2) traffic and implants in live environments.
  • CVE: This is not a vulnerability exploitation in the traditional sense (e.g., CVE-2024-XXXX), but a malware campaign. However, it relies on the lack of strict eBPF monitoring and poor credential hygiene.

Detection & Response

Detecting BPFdoor requires moving beyond standard port listeners. Because the malware uses raw sockets, netstat or ss may not show a listening port in the traditional sense, or the process masquerading makes it look like legitimate kernel activity. The following rules focus on the behavioral outliers: process masquerading, execution from hidden memory/file systems, and raw socket usage.

SIGMA Rules

YAML
---
title: Potential Linux Kernel Process Masquerading
id: 8a5f2c13-9b3e-4c1a-8f0d-2e4b5c6d7e8f
status: experimental
description: Detects processes masquerading as kernel threads (e.g., [ksoftirqd]) which are actually userspace binaries, a TTP associated with BPFdoor.
references:
  - https://www.rapid7.com/blog/post/tr-bpfdoor-telecom-networks-sleeper-cells-threat-research-report
author: Security Arsenal
date: 2024/05/23
tags:
  - attack.defense_evasion
  - attack.t1036.004
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    ProcessName|re: '^\\[.*\\]$'
  filter_main_kernel:

    # Legitimate kernel threads usually don't have an executable path in /proc or standard audit logs that points to a file on disk
    # or are spawned by init/kthreadd. This looks for processes with bracket names that HAVE an exe path.
    Exe|startswith: '/'
  condition: selection and not filter_main_kernel
falsepositives:
  - Legitimate administrative tools utilizing similar naming conventions (rare)
  - Monitoring agents
level: high
---
title: Linux Execution from Hidden Directories
id: 9b6g3d24-0c4f-5d2b-9g1e-3f5c6d7e8f0a
status: experimental
description: Detects execution of binaries from /dev/shm, /var/tmp, or /tmp, common drop locations for BPFdoor components.
references:
  - https://www.rapid7.com/blog/post/tr-bpfdoor-telecom-networks-sleeper-cells-threat-research-report
author: Security Arsenal
date: 2024/05/23
tags:
  - attack.initial_access
  - attack.t1078
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    Image|startswith:
      - '/dev/shm/'
      - '/tmp/'
      - '/var/tmp/'
  filter_common:
    Image|contains:
      - 'python'
      - 'perl'
      - 'node'
  condition: selection and not filter_common
falsepositives:
  - Legitimate developer scripts or package installations
level: medium


### KQL (Microsoft Sentinel / Defender)

```kql
// Hunt for suspicious shell activity from hidden paths or masquerading processes
// Applicable for Linux logs ingested via Syslog or CEF
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ('bash', 'sh', 'dash', 'ksh')
| where FolderPath has_any ('/dev/shm', '/tmp', '/var/tmp')
| extend ProcessCmdLine = ProcessCommandLine
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ProcessCmdLine
| order by Timestamp desc

Velociraptor VQL

BPFdoor creates a raw socket to listen for traffic. This is a high-fidelity anomaly on a standard server or router.

VQL — Velociraptor
-- Hunt for processes utilizing Raw Sockets (SOCK_RAW)
-- BPFdoor binds to a raw socket to sniff packets without opening a port.
SELECT Pid, ProcessName, Family, Type, State, RemoteAddress
FROM netstat()
WHERE Type =~ 'raw'

-- Hunt for processes masquerading as kernel threads with bracket names
SELECT Pid, Name, Exe, Cwd, Username
FROM pslist()
WHERE Name =~ '^\\[.*\\]$' AND Exe != '' AND Exe !~ '^/proc/'

Remediation Script (Bash)

Run this script on suspected Linux endpoints to identify and remove the immediate BPFdoor threat.

Bash / Shell
#!/bin/bash

BPFdoor Triage and Eradication Script

Usage: sudo ./check_bpfdoor.sh

echo "[+] Checking for suspicious processes (Raw Sockets)..."

Identify PIDs using raw sockets (TCP/UDP raw)

RAW_PIDS=$(ss -lunw | grep RAW | awk '{print $7}' | cut -d',' -f2 | cut -d'=' -f2)

if [ -n "$RAW_PIDS" ]; then echo "[!] Warning: Found processes using Raw Sockets. PIDs: $RAW_PIDS" for pid in $RAW_PIDS; do echo "--- Details for PID $pid ---" ps -p $pid -o pid,ppid,cmd,exe ls -l /proc/$pid/exe 2>/dev/null done else echo "[+] No raw socket listeners found via 'ss'." fi

echo "[+] Checking for process masquerading (kernel thread names) with executable paths..."

Look for processes starting with '[' but having a valid executable path on disk

for proc in /proc/[0-9]*; do pid=$(basename "$proc") name=$(cat "$proc/comm" 2>/dev/null) exe=$(readlink "$proc/exe" 2>/dev/null)

if [[ "$name" == [*] ]] && [[ -n "$exe" ]]; then echo "[!] Suspicious Masquerading Process: PID $pid | Name: $name | Exe: $exe" # Optional: Kill process - Uncomment only after verification # kill -9 $pid fi done

echo "[+] Checking common BPFdoor drop locations..." LOCATIONS=("/var/tmp/hdsh" "/lib/libpam2g.so" "/dev/shm/.rsync/c" "/tmp/.rsync/c") for loc in "${LOCATIONS[@]}"; do if [ -f "$loc" ]; then echo "[!] FOUND suspicious file: $loc" ls -la "$loc" # md5sum "$loc" fi done

echo "[+] Checking Cron persistence..." crontab -l 2>/dev/null | grep -v "^#"

Remediation

  1. Isolate Compromised Assets: Immediately disconnect identified telecom edge devices or servers from the management network to prevent lateral movement.
  2. Process Termination: Kill the suspicious process identified via the VQL or Bash script (e.g., the PID claiming to be [ksoftirqd] but linking to a binary in /tmp).
  3. Remove Persistence:
    • Inspect /var/spool/cron/ and user-specific crontabs for suspicious entries.
    • Check /etc/rc.local, /etc/init.d/, and systemd unit files for unknown or recently modified binaries.
  4. File Deletion: Remove the malware binary (e.g., /var/tmp/hdsh or the hidden library).
  5. Credential Rotation: Assume root credentials have been harvested. Rotate all SSH keys, API keys, and administrative passwords for the affected segment.
  6. Patch & Harden: Ensure all Linux networking appliances are up to date. Disable unused services and enforce strict SSH key management (disable password authentication).
  7. Network Monitoring: Implement deep packet inspection (DPI) or NDR capable of detecting raw socket anomalies or abnormal packet headers associated with "magic packet" activation.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

vulnerabilitycvepatchzero-dayred-menshenbpfdoorlinux-malwaretelecom-security

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action