| SYMBOL | COMMON_NAME | aka. SYNONYMS |
Since 2021, Red Menshen, a China based threat actor, which has been observed targeting telecommunications providers across the Middle East and Asia, as well as entities in the government, education, and logistics sectors using a custom backdoor referred as BPFDoor. This threat actor uses a variety of tools in its post-exploitation phase. This includes custom variants of the shared tool Mangzamel (including Golang variants), custom variants of Gh0st, and open source tools like Mimikatz and Metasploit to aid in its lateral movement across Windows systems. Also, They have been seen sending commands to BPFDoor victims via Virtual Privat Servers (VPSs) hosted at a well-known provider, and that these VPSs, in turn, are administered via compromised routers based in Taiwan, which the threat actor uses as VPN tunnels. Most Red Menshen activity that has been observed took place between Monday to Friday (with none observed on the weekends), with most communication taking place between 01:00 and 10:00 UTC.131 This pattern suggests a consistent 8 to 9-hour activity window for the threat actor, with realistic probability of it aligning to local working hours.
| 2025-04-14
⋅
Trend Micro
⋅
BPFDoor’s Hidden Controller Used Against Asia, Middle East Targets BPFDoor |
| 2024-07-10
⋅
Akamai
⋅
CVE-2024-4577 Exploits in the Wild One Day After Disclosure Tsunami Ghost RAT xmrig |
| 2024-05-23
⋅
Palo Alto Networks Unit 42
⋅
Operation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set to Target Governmental Entities in the Middle East, Africa and Asia Agent Racoon CHINACHOPPER Ghost RAT JuicyPotato MimiKatz Ntospy PlugX SweetSpecter TunnelSpecter CL-STA-0043 |
| 2023-12-21
⋅
BPF Memory Forensics with Volatility 3 BPFDoor TripleCross |
| 2023-07-18
⋅
Mandiant
⋅
Stealth Mode: Chinese Cyber Espionage Actors Continue to Evolve Tactics to Avoid Detection BPFDoor SALTWATER SEASPY SideWalk ZuoRAT Daxin HyperBro HyperSSL Waterbear |
| 2023-07-13
⋅
Trend Micro
⋅
Detecting BPFDoor Backdoor Variants Abusing BPF Filters BPFDoor Symbiote |
| 2023-05-18
⋅
Looking Closer at BPF Bytecode in BPFDoor BPFDoor |
| 2023-05-14
⋅
unfinished.bike
⋅
Fun with the new bpfdoor (2023) BPFDoor |
| 2023-05-11
⋅
Bleeping Computer
⋅
Stealthier version of Linux BPFDoor malware spotted in the wild BPFDoor |
| 2023-05-10
⋅
Deep instinct
⋅
BPFDoor Malware Evolves – Stealthy Sniffing Backdoor Ups Its Game BPFDoor |
| 2023-04-24
⋅
Cofense
⋅
Open-Source Gh0st RAT Still Haunting Inboxes 15 Years After Release Ghost RAT |
| 2023-04-13
⋅
Intel 471
⋅
From GhostNet to PseudoManuscrypt - The evolution of Gh0st RAT BBSRAT Gh0stTimes Ghost RAT PseudoManuscrypt |
| 2022-09-15
⋅
Symantec
⋅
Webworm: Espionage Attackers Testing and Using Older Modified RATs 9002 RAT Ghost RAT Trochilus RAT |
| 2022-08-01
⋅
Qualys
⋅
Here’s a Simple Script to Detect the Stealthy Nation-State BPFDoor BPFDoor |
| 2022-07-18
⋅
Palo Alto Networks Unit 42
⋅
Iron Taurus CHINACHOPPER Ghost RAT Wonknu ZXShell APT27 |
| 2022-05-25
⋅
CrowdStrike
⋅
Hunting a Global Telecommunications Threat: DecisiveArchitect and Its Custom Implant JustForFun BPFDoor |
| 2022-05-23
⋅
Trend Micro
⋅
Operation Earth Berberoka reptile oRAT Ghost RAT PlugX pupy Earth Berberoka |
| 2022-05-17
⋅
Elastic
⋅
A peek behind the BPFDoor BPFDoor |
| 2022-05-11
⋅
Sandfly Security
⋅
BPFDoor - An Evasive Linux Backdoor Technical Analysis BPFDoor |
| 2022-05-11
⋅
ExaTrack
⋅
Tricephalic Hellkeeper: a tale of a passive backdoor BPFDoor Bvp47 Uroburos |
| 2022-05-08
⋅
Twitter (@cyb3rops)
⋅
Tweet on source code for BPFDoor found on VT BPFDoor |
| 2022-05-08
⋅
Twitter (@CraigHRowland)
⋅
Twitter Thread with description of functionality for BPFDoor BPFDoor |
| 2022-05-07
⋅
DoublePulsar
⋅
BPFDoor — an active Chinese global surveillance tool BPFDoor |
| 2022-05-05
⋅
Troopers Conference
⋅
Tinker Telco Soldier Spy (to be given 2022-06-27) BPFDoor GALLIUM |
| 2022-04-28
⋅
PWC
⋅
Cyber Threats 2021: A Year in Retrospect (Annex) Cobalt Strike Conti PlugX RokRAT Inception Framework Red Menshen |
| 2022-04-28
⋅
PWC
⋅
Cyber Threats 2021: A Year in Retrospect BPFDoor APT15 APT31 APT41 APT9 BlackTech BRONZE EDGEWOOD DAGGER PANDA Earth Lusca HAFNIUM HAZY TIGER Inception Framework LOTUS PANDA QUILTED TIGER RedAlpha Red Dev 17 Red Menshen Red Nue VICEROY TIGER |
| 2022-04-27
⋅
Trend Micro
⋅
New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware HelloBot AsyncRAT Ghost RAT HelloBot PlugX Quasar RAT Earth Berberoka |
| 2022-04-27
⋅
Trendmicro
⋅
Operation Gambling Puppet reptile oRAT AsyncRAT Cobalt Strike DCRat Ghost RAT PlugX Quasar RAT Trochilus RAT Earth Berberoka |
| 2022-04-15
⋅
Center for Internet Security
⋅
Top 10 Malware March 2022 Mirai Shlayer Agent Tesla Ghost RAT Nanocore RAT SectopRAT solarmarker Zeus |
| 2022-04-01
⋅
The Hacker News
⋅
Chinese Hackers Target VMware Horizon Servers with Log4Shell to Deploy Rootkit Fire Chili Ghost RAT |
| 2022-03-30
⋅
Fortinet
⋅
New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits Fire Chili Ghost RAT |
| 2022-03-16
⋅
AhnLab
⋅
Gh0stCringe RAT Being Distributed to Vulnerable Database Servers Ghost RAT Kingminer |
| 2022-02-11
⋅
Cisco Talos
⋅
Threat Roundup for February 4 to February 11 DarkComet Ghost RAT Loki Password Stealer (PWS) Tinba Tofsee Zeus |
| 2021-12-14
⋅
Trend Micro
⋅
Collecting In the Dark: Tropic Trooper Targets Transportation and Government ChiserClient Ghost RAT Lilith Quasar RAT xPack APT23 |
| 2021-10-05
⋅
Blackberry
⋅
Drawing a Dragon: Connecting the Dots to Find APT41 Cobalt Strike Ghost RAT |
| 2021-10-04
⋅
JPCERT/CC
⋅
Malware Gh0stTimes Used by BlackTech Gh0stTimes Ghost RAT |
| 2021-05-05
⋅
Zscaler
⋅
Catching RATs Over Custom Protocols Analysis of top non-HTTP/S threats Agent Tesla AsyncRAT Crimson RAT CyberGate Ghost RAT Nanocore RAT NetWire RC NjRAT Quasar RAT Remcos |
| 2021-04-28
⋅
Trend Micro
⋅
Water Pamola Attacked Online Shops Via Malicious Orders Ghost RAT |
| 2021-04-02
⋅
Dr.Web
⋅
Study of targeted attacks on Russian research institutes Cotx RAT Ghost RAT TA428 |
| 2021-02-22
⋅
tccontre Blog
⋅
Gh0stRat Anti-Debugging: Nested SEH (try - catch) to Decrypt and Load its Payload Ghost RAT |
| 2021-02-01
⋅
ESET Research
⋅
Operation NightScout: Supply‑chain attack targets online gaming in Asia Ghost RAT NoxPlayer Poison Ivy Red Dev 17 |
| 2021-01-15
⋅
Swisscom
⋅
Cracking a Soft Cell is Harder Than You Think Ghost RAT MimiKatz PlugX Poison Ivy Trochilus RAT |
| 2020-12-18
⋅
Seqrite
⋅
RAT used by Chinese cyberspies infiltrating Indian businesses Ghost RAT |
| 2020-12-10
⋅
US-CERT
⋅
Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim REvil Ryuk Zeus |
| 2020-12-10
⋅
Intel 471
⋅
No pandas, just people: The current state of China’s cybercrime underground Anubis SpyNote AsyncRAT Cobalt Strike Ghost RAT NjRAT |
| 2020-10-27
⋅
Dr.Web
⋅
Study of the ShadowPad APT backdoor and its relation to PlugX Ghost RAT PlugX ShadowPad |
| 2020-07-28
⋅
⋅
NTT
⋅
CraftyPanda 標的型攻撃解析レポート Ghost RAT PlugX |
| 2020-07-20
⋅
Risky.biz
⋅
What even is Winnti? CCleaner Backdoor Ghost RAT PlugX ZXShell |
| 2020-06-14
⋅
BushidoToken
⋅
Deep-dive: The DarkHotel APT Asruex Ghost RAT Ramsay Retro Unidentified 076 (Higaisa LNK to Shellcode) |
| 2020-06-05
⋅
Prevailion
⋅
The Gh0st Remains the Same Ghost RAT |
| 2020-06-04
⋅
PTSecurity
⋅
COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group Ghost RAT SongXY |
| 2020-05-20
⋅
Medium Asuna Amawaka
⋅
What happened between the BigBadWolf and the Tiger? Ghost RAT |
| 2020-05-14
⋅
Avast Decoded
⋅
APT Group Planted Backdoors Targeting High Profile Networks in Central Asia BYEBY Ghost RAT Microcin MimiKatz Vicious Panda |
| 2020-05-05
⋅
Troopers Conference
⋅
Tinker Telco Soldier Spy Red Menshen |
| 2020-03-05
⋅
SophosLabs
⋅
Cloud Snooper Attack Bypasses AWS Security Measures Cloud Snooper Ghost RAT |
| 2020-01-01
⋅
Secureworks
⋅
BRONZE GLOBE EtumBot Ghost RAT APT12 |
| 2020-01-01
⋅
Secureworks
⋅
BRONZE FLEETWOOD Binanen Ghost RAT OrcaRAT APT5 |
| 2020-01-01
⋅
Secureworks
⋅
BRONZE EDISON Ghost RAT sykipot APT4 SAMURAI PANDA |
| 2020-01-01
⋅
Secureworks
⋅
BRONZE UNION 9002 RAT CHINACHOPPER Enfal Ghost RAT HttpBrowser HyperBro owaauth PlugX Poison Ivy ZXShell APT27 |
| 2019-12-12
⋅
Microsoft
⋅
GALLIUM: Targeting global telecom CHINACHOPPER Ghost RAT HTran MimiKatz Poison Ivy GALLIUM |
| 2019-11-19
⋅
FireEye
⋅
Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC POISONPLUG Poison Ivy pupy Quasar RAT ZXShell |
| 2019-11-04
⋅
⋅
Tencent
⋅
APT attack group "Higaisa" attack activity disclosed Ghost RAT Higaisa |
| 2019-09-23
⋅
MITRE
⋅
APT41 Derusbi MESSAGETAP Winnti ASPXSpy BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT MimiKatz NjRAT PlugX ShadowPad Winnti ZXShell APT41 |
| 2019-09-17
⋅
Talos
⋅
Cryptocurrency miners aren’t dead yet: Documenting the voracious but simple “Panda” Ghost RAT |
| 2019-04-25
⋅
⋅
DATANET
⋅
Chinese-based hackers attack domestic energy institutions CALMTHORN Ghost RAT |
| 2019-02-27
⋅
Secureworks
⋅
A Peek into BRONZE UNION’s Toolbox Ghost RAT HyperBro ZXShell |
| 2019-01-07
⋅
Intezer
⋅
ChinaZ Revelations: Revealing ChinaZ Relationships with other Chinese Threat Actor Groups Ghost RAT |
| 2018-09-19
⋅
Möbius Strip Reverse Engineering
⋅
Hex-Rays Microcode API vs. Obfuscating Compiler Ghost RAT |
| 2018-04-20
⋅
NCC Group
⋅
Decoding network data from a Gh0st RAT variant Ghost RAT APT27 |
| 2018-04-17
⋅
NCC Group
⋅
Decoding network data from a Gh0st RAT variant Ghost RAT APT27 |
| 2018-02-01
⋅
Bitdefender
⋅
Operation PZCHAO Inside a highly specialized espionage infrastructure Ghost RAT APT27 |
| 2018-01-04
⋅
Malware Traffic Analysis
⋅
MALSPAM PUSHING PCRAT/GH0ST Ghost RAT |
| 2018-01-01
⋅
CrowdStrike
⋅
2018 Global Threat Report Mangzamel BAMBOO SPIDER HOUND SPIDER ZOMBIE SPIDER |
| 2017-12-19
⋅
Proofpoint
⋅
North Korea Bitten by Bitcoin Bug: Financially motivated campaigns reveal new dimension of the Lazarus Group Ghost RAT |
| 2017-12-19
⋅
Proofpoint
⋅
North Korea Bitten by Bitcoin Bug QUICKCAFE PowerSpritz Ghost RAT PowerRatankba |
| 2017-05-31
⋅
MITRE
⋅
APT18 Ghost RAT HttpBrowser APT18 |
| 2017-05-31
⋅
MITRE
⋅
PittyTiger Enfal Ghost RAT MimiKatz Poison Ivy APT24 |
| 2017-05-31
⋅
MITRE
⋅
Axiom Derusbi 9002 RAT BLACKCOFFEE Derusbi Ghost RAT HiKit PlugX ZXShell APT17 |
| 2017-02-25
⋅
Financial Security Institute
⋅
Silent RIFLE: Response Against Advanced Threat Ghost RAT |
| 2016-04-22
⋅
Cylance
⋅
The Ghost Dragon Ghost RAT |
| 2015-04-14
⋅
Youtube (Kaspersky)
⋅
Following APT OpSec failures BLACKCOFFEE Mangzamel APT17 |
| 2015-04-13
⋅
Hybrid-Analysis
⋅
sqlconnt1.exe Mangzamel |
| 2012-01-01
⋅
Norman ASA
⋅
The many faces of Gh0st Rat Ghost RAT |
| 2011-06-29
⋅
Symantec
⋅
Inside a Back Door Attack Ghost RAT Dust Storm |
| 2009-03-28
⋅
Infinitum Labs
⋅
Tracking GhostNet: Investigating a Cyber Espionage Network Ghost RAT GhostNet |