Front Page

State-Sponsored Espionage

Sleeper Cells in the Backbone: China's Red Menshen Pre-Positioned BPFdoor Inside Global Telecom Networks

Rapid7 Labs confirmed on March 26 that Chinese state-nexus group Red Menshen has spent years systematically embedding BPFdoor implants inside telecommunications backbone infrastructure worldwide — not for immediate data theft, but as dormant sleeper cells that can be activated on command for espionage or large-scale disruption.

BPFdoor abuses the Linux kernel's BPF subsystem to inspect raw packets, awakening only on a trigger buried in normal HTTPS traffic — exposing no listening ports and generating zero C2 traffic at rest. Rapid7 released a free detection script; investigators must hunt for raw socket usage, anomalous BPF filter installations, and process spoofing artifacts on all Linux network edge hosts.

Supply Chain Escalation

CanisterWorm Goes Ransomware: TeamPCP Pivots to Vect RaaS After Stealing 300 GB of Developer Credentials

The TeamPCP CanisterWorm campaign escalated dramatically this week as the group partnered with Vect ransomware-as-a-service and confirmed first ransomware deployments using 300 GB of stolen CI/CD credentials harvested from 474 compromised GitHub repositories and 1,750 Python packages.

Within eight days, TeamPCP expanded targeting from Linux to Windows, pivoted delivery from Base64 inline encoding to WAV steganography, and extended the blast radius to Checkmarx, LiteLLM, and Telnyx SDK. Any organization that consumed affected packages must treat downstream endpoint compromise — not just credential exposure — as a live incident.

Threat Bulletin

ACTIVE EXPLOIT
CVE-2025-53521

F5 BIG-IP APM — Unauthenticated RCE triggered by malicious traffic when an APM access policy is active; CVSS 9.3. Added to CISA KEV March 27; federal patch deadline March 30. Forensic Note: BIG-IP APM sits at the auth perimeter — audit all systems that authenticated through the affected appliance for lateral movement.

CRITICAL
CVE-2026-21643

Fortinet FortiClient EMS — Pre-auth SQL injection via unsanitized tenant header extracts full admin credentials from the PostgreSQL backend; CVSS 9.8. 2,000+ exposed instances tracked by Shadowserver. Forensic Note: Audit EMS policy deployment chains and endpoint telemetry for unauthorized policy changes.

Malware Spotlight

Infiniti Stealer (ClickFix)

Python-based macOS infostealer delivered via Cloudflare-branded fake browser verification prompts using Bash one-liners — the ClickFix technique — that bypass Gatekeeper assumptions. Targets credentials, browser data, and crypto wallets. Forensic Note: No traditional binary footprint; detection requires user-behavior telemetry and script-execution monitoring.