Rapid7 Uncovers China-Linked Espionage Campaign Targeting Global Telecom Infrastructure
Event summary
- Rapid7 Labs identified a sustained espionage campaign by a China-nexus threat actor, Red Menshen, targeting global telecommunications networks.
- The campaign involves the deployment of “sleeper cells” designed for long-term, undetected intelligence collection within telecom infrastructure.
- A new Linux kernel-level backdoor, BPFdoor, is being used to bypass traditional security monitoring tools.
- Rapid7 has released an open-source scanning script to help organizations detect BPFdoor activity and has incorporated findings into its detection capabilities.
- Christiaan Beek and Raj Samani will present the research findings at RSAC 2026 and in an exclusive webinar on March 30, 2026.
The big picture
Rapid7's findings reveal a significant shift in cyber espionage tactics, moving beyond opportunistic attacks to a model of persistent, strategic infrastructure compromise. This represents a growing threat to national security and critical infrastructure globally, highlighting the increasing convergence of cybersecurity and geopolitical risk. The incident underscores the vulnerability of core communication systems and the potential for widespread data exfiltration and disruption.
What we're watching
- Geopolitical Risk
- The increasing sophistication and persistence of state-sponsored attacks on critical infrastructure will likely prompt heightened regulatory scrutiny and investment in cybersecurity across the telecommunications sector.
- Technical Innovation
- The weaponization of encrypted traffic and kernel-level backdoors will force security vendors to continually innovate detection methods, potentially accelerating the adoption of AI-powered solutions.
- Regulatory Response
- Governments will likely increase pressure on telecommunications providers to implement robust security measures and reporting protocols, potentially leading to new compliance requirements and operational costs.
Related topics