HOMETHREATSRed Menshen
APT / THREAT GROUP

Red Menshen

🇨🇳China-attributed
1
campaigns
3
aliases
Last seen:Mar 17, 2026

Intelligence Profile

Since 2021, Red Menshen, a China based threat actor, which has been observed targeting telecommunications providers across the Middle East and Asia, as well as entities in the government, education, and logistics sectors using a custom backdoor referred as BPFDoor. This threat actor uses a variety of tools in its post-exploitation phase. This includes custom variants of the shared tool Mangzamel (including Golang variants), custom variants of Gh0st, and open source tools like Mimikatz and Metasploit to aid in its lateral movement across Windows systems. Also, They have been seen sending commands to BPFDoor victims via Virtual Privat Servers (VPSs) hosted at a well-known provider, and that these VPSs, in turn, are administered via compromised routers based in Taiwan, which the threat actor uses as VPN tunnels. Most Red Menshen activity that has been observed took place between Monday to Friday (with none observed on the weekends), with most communication taking place between 01:00 and 10:00 UTC.131 This pattern suggests a consistent 8 to 9-hour activity window for the threat actor, with realistic probability of it aligning to local working hours.

Threat Analysis

Red Menshen is a known-sophistication threat actor attributed to China, engaged in cyber operations with a primary motivation of unknown activity patterns.

Known Campaigns

Red Menshen — Active Operations March 2026

Red Menshen is a unknown-motivation threat actor attributed to China. Since 2021, Red Menshen, a China based threat actor, which has been observed targeting telecommunications providers across the Middle East and Asia, as well as entities in the government, education, and logistics sectors using a custom backdoor referred as BPFDoor. This threat ac...

ACTIVEMEDIUM2026

Intelligence Reports Mentioning Red Menshen

External References

Quick Facts

TypeAPT / Threat Group
Origin🇨🇳 China
Aliases3
SourceMalpedia

Also Known As

Earth BluecrowRed Dev 18Red Menshen

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
Red Menshen — APT / Threat Group | Threat Intelligence | CTIWATCH.COM