On March 26, 2026, Rapid7 Labs published its report on a sustained China-nexus espionage campaign inside global telecommunications infrastructure.

 

What happened

Rapid7 attributed the activity to Red Menshen and said its months-long investigation found covert access designed for long-term intelligence collection, including activity with implications for government communications.

Rapid7 said the operation was built for persistence, not fast disruption. The actor allegedly established sleeper-cell style footholds inside telecom environments using kernel-level implants, passive backdoors, and other tools that could remain hidden for extended periods.

At the center of the campaign was BPFdoor, which Rapid7 described as a stealthy Linux backdoor that abuses Berkeley Packet Filter logic to inspect network traffic and stay dormant until it receives specially crafted trigger traffic. The design helps it avoid obvious listening ports and makes it harder for defenders to detect through normal monitoring.

 

The main findings of the report

  • A sustained China-nexus espionage campaign operated inside global telecommunications infrastructure.
  • The activity has been attributed to a threat actor tracked as Red Menshen.
  • The apparent objective was long-term, high-level espionage, including access that could affect government communications and other critical systems.
  • Covert sleeper-cell style access was established to remain hidden for extended periods.
  • BPFdoor served as a central tool in the campaign and functioned as a stealthy Linux backdoor at the kernel level that activated only when it received specially crafted trigger traffic.
  • Initial access often came through public-facing applications and valid accounts, with reported targets including Ivanti, Cisco, Fortinet, VMware, Palo Alto appliances, and Apache Struts environments.
  • Additional tools used after initial access included CrossC2 and TinyShell to maintain access, run commands, and move deeper into networks.
  • Newer BPFdoor variants could hide their trigger logic inside normal HTTPS traffic, making detection harder in modern telecom networks.

 

What was said

According to the Rapid7 report, “Modern telecom networks are layered ecosystems composed of routing systems, subscriber management platforms, authentication services, billing systems, roaming databases, and lawful intercept capabilities. These systems rely on specialized signaling protocols such as SS7, Diameter, and SCTP to coordinate identity, mobility, and connectivity across national and international boundaries.”

 

Why it matters

Rapid7 describes what sophisticated compromise looks like after an attacker has achieved deep access: Red Menshen allegedly maintained long-term, covert footholds inside telecommunications infrastructure through kernel-level BPFdoor implants, encrypted HTTPS-based triggers, and service masquerading designed to avoid normal detection.

A 2025 Paubox report on healthcare cybersecurity describes the healthcare-side exposure that often exists much earlier in the attack chain, reporting that its 2025 analysis covered 180 email-related healthcare breaches from 2024, found that 43% involved Microsoft 365, and found that only 1.1% of analyzed organizations had a low-risk email security posture, alongside rising AI-phishing and ransomware pressure.

Read together, the comparison suggests a clear progression of risk. Paubox shows how often attackers can still exploit trusted communication channels at the inbox level, while Rapid7 shows how advanced actors seek to convert footholds into persistent, hard-to-detect access inside the communications fabric itself.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

 

FAQs

What are software backdoors, and why are they so dangerous?

Software backdoors are hidden or unauthorized ways to access a device or program that let attackers bypass normal security controls, which makes them dangerous because they can give persistent remote access that is hard to detect and easy to abuse.

 

What is Linux?

Linux is an open-source operating system that can be used through both a graphical interface and the command line across many different distributions.

 

What is the Berkley Packet Filter logic?

Berkeley Packet Filter logic, usually called BPF, is a filtering mechanism in the Linux kernel that lets programs inspect network traffic and decide what data should be allowed through.