my photo

John Z Black

Brunswick, ME • (207) 245-1010 • contact@johnzblack.com

China's BPFDoor Got an Upgrade. Passive Defenses Still Can't See It.

John Z Black Mar 28, 2026 Threat Intelligence #bpfdoor #china #red-menshen #telecom #apt #nation-state #threat-hunting #backdoor

BPFDoor was already one of the stealthiest backdoors in active use. China’s Red Menshen just made it harder to catch.

Rapid7 Labs spent months investigating this. The new variant adds encrypted HTTPS triggers, proxy-aware command delivery, and application-layer camouflage. The old version was already nearly invisible. This one was specifically engineered to close the remaining gaps that might have allowed passive detection.

The fundamentals of how BPFDoor works explain why this matters so much. It runs at the kernel level. It doesn’t open ports. It doesn’t beacon home. It watches inbound traffic silently for specific magic sequences, and when it sees one, it hands over shell access. Port scan a compromised system: nothing. Check outbound traffic logs: nothing. The implant just sits there, invisible, until someone uses it.

Inside telecom backbone networks. That’s where these implants are living.

Telecom backbones carry lawful intercept infrastructure, SS7, and Diameter signaling. Getting inside a carrier core doesn’t mean one company’s data got stolen. It potentially means visibility into communications across every network that carrier interconnects with. Rapid7 called them “digital sleeper cells.” That’s technically accurate, not alarmist.

The defensive picture: passive defenses won’t work. Signature-based detection won’t work. The only path is active behavioral threat hunting, and the honest question is whether telecom security teams are actually doing it. Not whether they have SIEM coverage. Whether someone is actively hunting for BPFDoor-style behavior on backbone systems.

The behavior is specific enough to hunt. Rapid7 published IoCs. Elastic Security Labs published detection logic. The 0xFFFFFFFF ICMP signaling pattern is findable if you’re looking. Hard, but not impossible.

Red Menshen upgraded BPFDoor because they’re investing in long-term access to infrastructure that matters. That kind of investment tells you what they’re planning to do with it eventually.

How China’s upgraded BPFDoor hides inside telecom networks and what it takes to actually find it