A sophisticated Chinese hacking group has launched a powerful new version of a secret digital backdoor designed to live inside the world’s most sensitive phone and internet systems.
This high-level malware, known as BPFdoor, is now more dangerous than ever after receiving major upgrades to its stealth capabilities. Security experts warn that the software is specifically built to hide inside the “brains” of telecommunications providers, government offices, and power grids. By staying silent for months or even years, it allows foreign spies to watch global data traffic without ever being noticed by standard security tools.
The Invisible Ghost Inside the Machine
The hackers behind this tool, a group known to researchers as Red Menshen, have found a way to make their malware nearly impossible to find. Most viruses act like a loud intruder breaking a window, but BPFdoor acts more like a hidden microphone tucked inside a wall during construction. It sits inside the Linux kernel, which is the core part of a computer’s operating system that manages everything from memory to hardware.
Once it is inside a system, the malware does absolutely nothing. It does not send files, it does not use much power, and it does not talk to its creators right away. Instead, it just listens. It uses a tool called the Berkeley Packet Filter to look at every single piece of data entering the network, waiting for a specific “magic” message that tells it to wake up.
This passive listening style means that traditional antivirus programs and firewalls cannot see it because the malware never initiates a connection.
Because it lives in the core of the system, it can see everything the computer does. For a massive phone company, this means the hackers could potentially see who is calling whom, read text messages, or track where people are located. Recent reports show the infection has spread far beyond just phone companies, hitting government and defense networks in Europe, the Middle East, and Asia.
Weaponizing the Web to Stay Hidden
In the past, the malware looked for its wake-up call in any type of internet data. However, the latest upgrade has made it even craftier by hiding these secret commands inside regular web traffic. Specifically, the hackers are now using HTTPS, which is the secure, encrypted connection used by almost every website today.
By hiding inside these secure “locks,” the malware forces our own security systems to work against us. Firewalls are programmed to let HTTPS traffic pass through because it is essential for the internet to function. Even if a security guard were to “unpack” and look at the data, it would look like a perfectly normal request to visit a website.
| Feature | Old Version | New Upgraded Version |
| Trigger Method | Any network packet | Encrypted HTTPS requests |
| Visibility | Low | Near Zero |
| Stealth Trick | Passive listening | Mimics HPE and Kubernetes |
| Command Channel | Standard C2 | Hidden ICMP “Ping” signals |
The precision of this new version is startling. The malware is programmed to look at one exact spot in a data packet—the 26th byte—to see if its secret code is there. If the code is just one inch to the left or right, the malware ignores it and stays asleep. This level of detail ensures that only the hackers can control the software, making it a “ghost” that only answers to its master.
Talking Through the Noise of the Internet
Perhaps the most impressive and scary part of this upgrade is how the infected machines talk to each other. When Red Menshen gets into a large network, they often infect multiple servers. To stay quiet, they don’t have every server talk back to China. Instead, they use “pings”—the tiny digital pulses computers use to see if another machine is online—to send instructions.
The hackers have figured out how to hide complex orders inside these simple pings that every network uses thousands of times a day.
Most security teams never check ping traffic because it is considered harmless and basic. It is the digital equivalent of a heartbeat. By using a specific mathematical value in these pings, the hackers can tell a computer in one room to pass a message to a computer in another room without ever triggering an alarm.
This “hop-by-hop” communication allows the spies to move deep into a network. They can reach the most protected data by bouncing their commands through less-secure computers. It creates a private, invisible network that sits right on top of the company’s real network, completely out of sight from the people who own the equipment.
A Deep Knowledge of Technical Targets
What makes Red Menshen so effective is not just their software, but their homework. They don’t just blast out viruses to everyone; they study their targets for months. They know exactly what kind of servers large phone companies buy, such as HPE ProLiant systems. They also know that modern 5G phone networks are built using a technology called Kubernetes.
To blend in, the malware now renames itself to look like a legitimate part of those specific systems. If a technician looks at a list of running programs, they will see names that look official and boring. This prevents even human experts from suspecting that something is wrong.
Security experts at firms like Rapid7 are now urging companies to stop relying on automatic alarms. Because this malware is designed to defeat those alarms, the only way to find it is to go “hunting” for it manually. This involves looking for tiny, unusual patterns in how a server behaves or checking for those specific hidden codes in the ping traffic.
Despite being active for years, many major companies are still unaware that this threat exists. The gap between how fast the hackers are moving and how slow companies are to protect themselves is growing. As 5G networks continue to roll out globally, the stakes for protecting our digital privacy have never been higher.
The battle for our data is no longer about big, flashy attacks that crash websites. It is a quiet war happening in the background of our daily lives, hidden in the very signals that connect our phones and computers to the world. For now, the “backdoor” remains open, and the world is just starting to realize who might be walking through it.
What do you think about foreign entities having this kind of deep access to our phone networks? Does it change how you feel about digital privacy? Share this story on social media to let others know about the #BPFdoor threat and the #RedMenshen hacking group that is currently trending in tech circles.
