China-linked Red Menshen hides inside telecoms networks

Rapid7 Labs has identified a sustained espionage campaign by China-nexus threat actor Red Menshen inside global telecommunications networks. Its research points to long-term covert access within core communications infrastructure.

The investigation found what Rapid7 described as digital sleeper cells embedded in telecom environments. The intrusions were designed to remain dormant, avoid detection and preserve access over extended periods. Researchers warned that this access can expose subscriber activity, signalling systems and sensitive communications within networks used by government, commercial and critical infrastructure organisations.

The group's methods suggest a shift from short-term intrusion to long-term pre-positioning inside telecom systems. Researchers said the actor was seeking footholds that could later be activated for intelligence collection while blending into ordinary network operations.

Rapid7 linked the activity to Red Menshen, which it described as an advanced threat actor with a China nexus. Attribution at the national level remains under investigation, but the campaign appears to extend across several regions.

"This is not traditional espionage, it is pre-positioning inside the infrastructure that nations depend on," said Christiaan Beek, Vice President of Cyber Intelligence at Rapid7. "We are seeing a persistent access model where attackers embed within core communications systems and maintain that access over extended periods."

One of the central tools identified in the campaign is BPFdoor, a Linux backdoor that operates at kernel level. This type of malware can be hard to detect because it does not need to open ports or generate the beaconing traffic many monitoring tools rely on to spot suspicious behaviour.

The investigation also found a newer malware variant that hides command triggers within legitimate encrypted HTTPS traffic. By using SSL termination points such as load balancers and proxies, the actor can trigger dormant implants while reducing the likelihood of detection by security systems that inspect traffic in more conventional ways.

Hidden access

Researchers said these techniques create major visibility gaps, particularly at the kernel and packet-filtering layers. Without monitoring at those levels, service masquerading and stealth activation can persist for long periods inside telecom environments.

The malware was found mimicking legitimate infrastructure and management services, including hardware monitoring and container components, to blend into routine operational activity. This made the implants harder to distinguish from normal functions inside complex carrier networks.

The campaign also involved access to specialist telecommunications signalling protocols such as SCTP. That can provide visibility into subscriber-related information, including location tracking and identity data across 4G and 5G networks.

Raj Samani, Chief Scientist at Rapid7, said the location of the intrusions raises the stakes for defenders. "If you have access to telecommunications infrastructure, you are not just inside one company, you are operating close to the communication layer of entire populations, which makes this type of access highly valuable and elevates detection to a national-level concern," he said. "The activity we are seeing continues to evolve in ways that improve stealth and persistence, and organisations should treat detection as the start of investigation, not the end of it."

Global risk

Beek said the interconnected nature of telecoms means the risk is not limited to a single market. Investigators are seeing relevant activity in Europe and the Asia-Pacific region, though confirming individual countries takes time because of the attackers' stealth.

"At this stage, attribution at the national level remains complex and is still under investigation. Given how the attacker conceals themselves within 'normal' network traffic, detection is no easy task. We are not merely searching for a needle in a haystack; rather, we are searching for a needle that has disguised itself as a piece of hay. What we can state with certainty, however, is that telecommunications infrastructure is utilised globally and is highly interconnected. Consequently, the associated risk is not confined to any single region. We are observing activity in multiple parts of the world, including Europe and APAC, but concrete confirmations on a country-by-country basis take time due to the stealthy nature of these attacks," he said.

The findings add to broader concerns over telecom networks as strategic targets for espionage. Because these networks sit near the centre of national communications systems, an intruder can potentially monitor data flows across a wide range of users and institutions without needing direct access to each target organisation.

Rapid7 is working with organisations it believes may have been affected. It has also released an open-source scanning script to detect both previously known BPFdoor variants and newer samples, allowing defenders to assess possible exposure and begin incident response where needed.

It has also integrated the findings into its own detection and threat-hunting systems, including retroactive searches for signs of compromise and updated intelligence for customers through its Intelligence Hub.