State‑sponsored “sleeper cells” embedded within global telecommunications networks, offering persistent espionage access that could impact government, corporate, and critical infrastructure communications worldwide.
The Rapid7 investigation, titled Sleeper Cells in the Telecom Backbone, details a multi‑year campaign attributed to a China‑nexus threat actor known as Red Menshen.
According to Rapid7 Labs, the group has shifted from opportunistic intrusion to strategic pre‑positioning — establishing long‑term footholds designed to remain dormant yet provide deep visibility into subscriber and signalling data across 4G and 5G networks.
“If you have access to telecommunications infrastructure, you are not just inside one company, you are operating close to the communication layer of entire populations, which makes this type of access highly valuable and elevates detection to a national‑level concern,” said Raj Samani, chief scientist at Rapid7.
“The activity we are seeing continues to evolve in ways that improve stealth and persistence, and organisations should treat detection as the start of investigation, not the end of it.” Raj Samani
The report highlights how the Red Menshen campaign leverages a Linux kernel‑level backdoor called BPFdoor. This tool operates without opening network ports or producing typical beaconing, leaving standard monitoring blind to its presence. More recent variants hide C2 triggers inside encrypted HTTPS traffic, exploiting SSL termination points such as proxies and load balancers to bypass detection.
Investigators also documented efforts to infiltrate telecommunications signalling systems using SCTP protocols to gain subscriber location and identity data, and to mimic legitimate operational services to blend into network traffic.
“This is not traditional espionage, it is pre‑positioning inside the infrastructure that nations depend on,” said Christiaan Beek, Vice President of Cyber Intelligence at Rapid7. “We are seeing a persistent access model where attackers embed within core communications systems and maintain that access over extended periods.”
To assist defenders, Rapid7 has published an open‑source scanning script capable of detecting both existing and modified BPFdoor samples, encouraging telecom providers and critical sectors to assess exposure proactively.
The findings underscore a pressing challenge for network operators: growing exposure at the intersection of national communications infrastructure and international state‑sponsored cyber operations.
