Rapid7 Labs report flags China-nexus “sleeper cells” in global telecom networks; findings published March 26, 2026

Reuters

Mar 26

Rapid7 Labs report flags China-nexus “sleeper cells” in global telecom networks; findings published March 26, 2026

Rapid7 Labs reported a sustained espionage campaign by a China-nexus threat actor, Red Menshen, involving long-term dormant footholds inside global telecommunications networks.
The activity described includes use of a Linux kernel-level backdoor (BPFdoor) designed to avoid opening ports and to limit conventional endpoint and network monitoring visibility.
A newly identified malware variant was found to conceal command triggers within legitimate encrypted HTTPS traffic, including abuse of SSL termination points such as load balancers and proxies.
The investigation also described targeting of telecommunications signaling protocols such as SCTP, enabling visibility into subscriber activity across 4G and 5G networks.
Rapid7 released an open-source scanning script intended to detect previously documented BPFdoor variants and newer samples.

Disclaimer: This news brief was created by Public Technologies (PUBT) using generative artificial intelligence. While PUBT strives to provide accurate and timely information, this AI-generated content is for informational purposes only and should not be interpreted as financial, investment, or legal advice. Rapid7 Inc. published the original content used to generate this news brief on March 26, 2026, and is solely responsible for the information contained therein.

At the request of the copyright holder, you need to log in to view this content

LOGIN / SIGN UP

Disclaimer: Investing carries risk. This is not financial advice. The above content should not be regarded as an offer, recommendation, or solicitation on acquiring or disposing of any financial products, any associated discussions, comments, or posts by author or other users should not be considered as such either. It is solely for general information purpose only, which does not consider your own investment objectives, financial situations or needs. TTM assumes no responsibility or warranty for the accuracy and completeness of the information, investors should do their own research and may seek professional advice before investing.

Most Discussed

1
2
3
4
5
6
7
8
9
10

{"basename":"","ssrTDKData":{"titleTemplate":"%s - Tiger Brokers","title":"Tiger Brokers | Global Stocks, Options & Futures Trading App","description":"Tiger Brokers, one-stop investment in US stocks, SGX stocks, HK stocks, A-shares & other global assets. One of the best stock trading platforms in Singapore.","keywords":"tiger brokers,tiger trade,tiger brokers singapore,broker online,stock trading in singapore,share trading singapore,brokerage firm singapore,trading app,stock broker singapore,stock trading platforms,trading account","social":{"ogDescription":"Tiger Brokers, one-stop investment in US stocks, SGX stocks, HK stocks, A-shares & other global assets. One of the best stock trading platforms in Singapore.","ogImage":"https://c1.itigergrowtha.com/portal5/static/media/og-logo.be62fbe1.png","ogUrl":"https://www-web.itiger.com/news/2622850634"},"companyName":"Tiger Brokers"},"pageData":{"isMobile":false,"isTiger":false,"isTTM":true,"region":"SGP","license":"TBSG","edition":"fundamental"},"isCrawlerRequest":true,"__swrFallback__":{"@#url:\"https://stock-news.skytigris.cn/v3/news\",params:#id:\"2622850634\",edition:\"fundamental\",auth_exemption:1,,,undefined,":{"share":"https://ttm.financial/m/news/2622850634?lang=en_US&edition=fundamental","thumbnail":"","is_english":true,"pubTime":"2026-03-26 20:43","share_image_url":"https://static.laohu8.com/e9f99090a1c2ed51c021029395664489","id":"2622850634","market":"nz","top_or_hot":-1,"title":"Rapid7 Labs report flags China-nexus “sleeper cells” in global telecom networks; findings published March 26, 2026","media":"Reuters","content":"<html xmlns=\"http://www.w3.org/1999/xhtml\" xmlns:newsg2=\"http://iptc.org/std/nar/2006-10-01/\" xmlns:xhtml=\"http://www.w3.org/1999/xhtml\"><head><title>\n      Rapid7 Labs report flags China-nexus “sleeper cells” in global telecom networks; findings published March 26, 2026\n    </title></head><body><div xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">\n<ul>\n<li>\n          Rapid7 Labs reported a sustained espionage campaign by a China-nexus threat actor, Red Menshen, involving long-term dormant footholds inside global telecommunications networks.\n        </li>\n<li>\n          The activity described includes use of a Linux kernel-level backdoor (BPFdoor) designed to avoid opening ports and to limit conventional endpoint and network monitoring visibility.\n        </li>\n<li>\n          A newly identified malware variant was found to conceal command triggers within legitimate encrypted HTTPS traffic, including abuse of SSL termination points such as load balancers and proxies.\n        </li>\n<li>\n          The investigation also described targeting of telecommunications signaling protocols such as SCTP, enabling visibility into subscriber activity across 4G and 5G networks.\n        </li>\n<li>\n          Rapid7 released an open-source scanning script intended to detect previously documented BPFdoor variants and newer samples.\n        </li>\n</ul>\n<br/>\n<br/>\n</div><div xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">\n<p>\n<i>Disclaimer: <span>This news brief was created by Public Technologies (PUBT) using generative artificial intelligence. While PUBT strives to provide accurate and timely information, this AI-generated content is for informational purposes only and should not be interpreted as financial, investment, or legal advice. Rapid7 Inc. published the original content used to generate this news brief on March 26, 2026, and is solely responsible for the information contained therein.</span></i>\n</p>\n</div></body></html>","source":null,"html":"<!DOCTYPE html>\n<html>\n<head>\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" />\n<meta name=\"viewport\" content=\"width=device-width,initial-scale=1.0,minimum-scale=1.0,maximum-scale=1.0,user-scalable=no\"/>\n<meta name=\"format-detection\" content=\"telephone=no,email=no,address=no\" />\n<title>Rapid7 Labs report flags China-nexus “sleeper cells” in global telecom networks; findings published March 26, 2026</title>\n<style type=\"text/css\">\na,abbr,acronym,address,applet,article,aside,audio,b,big,blockquote,body,canvas,caption,center,cite,code,dd,del,details,dfn,div,dl,dt,\nem,embed,fieldset,figcaption,figure,footer,form,h1,h2,h3,h4,h5,h6,header,hgroup,html,i,iframe,img,ins,kbd,label,legend,li,mark,menu,nav,\nobject,ol,output,p,pre,q,ruby,s,samp,section,small,span,strike,strong,sub,summary,sup,table,tbody,td,tfoot,th,thead,time,tr,tt,u,ul,var,video{ font:inherit;margin:0;padding:0;vertical-align:baseline;border:0 }\nbody{ font-size:16px; line-height:1.5; color:#999; background:transparent; }\n.wrapper{ overflow:hidden;word-break:break-all;padding:10px; }\nh1,h2{ font-weight:normal; line-height:1.35; margin-bottom:.6em; }\nh3,h4,h5,h6{ line-height:1.35; margin-bottom:1em; }\nh1{ font-size:24px; }\nh2{ font-size:20px; }\nh3{ font-size:18px; }\nh4{ font-size:16px; }\nh5{ font-size:14px; }\nh6{ font-size:12px; }\np,ul,ol,blockquote,dl,table{ margin:1.2em 0; }\nul,ol{ margin-left:2em; }\nul{ list-style:disc; }\nol{ list-style:decimal; }\nli,li p{ margin:10px 0;}\nimg{ max-width:100%;display:block;margin:0 auto 1em; }\nblockquote{ color:#B5B2B1; border-left:3px solid #aaa; padding:1em; }\nstrong,b{font-weight:bold;}\nem,i{font-style:italic;}\ntable{ width:100%;border-collapse:collapse;border-spacing:1px;margin:1em 0;font-size:.9em; }\nth,td{ padding:5px;text-align:left;border:1px solid #aaa; }\nth{ font-weight:bold;background:#5d5d5d; }\n.symbol-link{font-weight:bold;}\n/* header{ border-bottom:1px solid #494756; } */\n.title{ margin:0 0 8px;line-height:1.3;color:#ddd; }\n.meta {color:#5e5c6d;font-size:13px;margin:0 0 .5em; }\na{text-decoration:none; color:#2a4b87;}\n.meta .head { display: inline-block; overflow: hidden}\n.head .h-thumb { width: 30px; height: 30px; margin: 0; padding: 0; border-radius: 50%; float: left;}\n.head .h-content { margin: 0; padding: 0 0 0 9px; float: left;}\n.head .h-name {font-size: 13px; color: #eee; margin: 0;}\n.head .h-time {font-size: 11px; color: #7E829C; margin: 0;line-height: 11px;}\n.small {font-size: 12.5px; display: inline-block; transform: scale(0.9); -webkit-transform: scale(0.9); transform-origin: left; -webkit-transform-origin: left;}\n.smaller {font-size: 12.5px; display: inline-block; transform: scale(0.8); -webkit-transform: scale(0.8); transform-origin: left; -webkit-transform-origin: left;}\n.bt-text {font-size: 12px;margin: 1.5em 0 0 0}\n.bt-text p {margin: 0}\n</style>\n</head>\n<body>\n<div class=\"wrapper\">\n<header>\n<h2 class=\"title\">\nRapid7 Labs report flags China-nexus “sleeper cells” in global telecom networks; findings published March 26, 2026\n</h2>\n\n<h4 class=\"meta\">\n\n\n<a class=\"head\" href=\"https://laohu8.com/wemedia/1032215980\">\n\n\n<div class=\"h-thumb\" style=\"background-image:url(https://community-static.tradeup.com/news/4567337cbdf294b657b1fa87c5488b48);background-size:cover;\"></div>\n\n<div class=\"h-content\">\n<p class=\"h-name\">Reuters </p>\n<p class=\"h-time\">2026-03-26 20:43</p>\n</div>\n\n</a>\n\n\n</h4>\n\n</header>\n<article>\n<html xmlns=\"http://www.w3.org/1999/xhtml\" xmlns:newsg2=\"http://iptc.org/std/nar/2006-10-01/\" xmlns:xhtml=\"http://www.w3.org/1999/xhtml\"><head><title>\n      Rapid7 Labs report flags China-nexus “sleeper cells” in global telecom networks; findings published March 26, 2026\n    </title></head><body><div xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">\n<ul>\n<li>\n          Rapid7 Labs reported a sustained espionage campaign by a China-nexus threat actor, Red Menshen, involving long-term dormant footholds inside global telecommunications networks.\n        </li>\n<li>\n          The activity described includes use of a Linux kernel-level backdoor (BPFdoor) designed to avoid opening ports and to limit conventional endpoint and network monitoring visibility.\n        </li>\n<li>\n          A newly identified malware variant was found to conceal command triggers within legitimate encrypted HTTPS traffic, including abuse of SSL termination points such as load balancers and proxies.\n        </li>\n<li>\n          The investigation also described targeting of telecommunications signaling protocols such as SCTP, enabling visibility into subscriber activity across 4G and 5G networks.\n        </li>\n<li>\n          Rapid7 released an open-source scanning script intended to detect previously documented BPFdoor variants and newer samples.\n        </li>\n</ul>\n<br/>\n<br/>\n</div><div xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">\n<p>\n<i>Disclaimer: <span>This news brief was created by Public Technologies (PUBT) using generative artificial intelligence. While PUBT strives to provide accurate and timely information, this AI-generated content is for informational purposes only and should not be interpreted as financial, investment, or legal advice. Rapid7 Inc. published the original content used to generate this news brief on March 26, 2026, and is solely responsible for the information contained therein.</span></i>\n</p>\n</div></body></html>\n\n</article>\n</div>\n</body>\n</html>\n","isBrief":false,"type":0,"news_type":1,"symbol":"BK4097","symbol_name":"系统软件","start_time":0,"source_url":"https://api.refinitiv.com/data/news/v1/stories/urn:newsml:reuters.com:20260326:nNDL1y0jmx:1","article_id":"2622850634","we_media_id":"1032215980","thumbnails":[],"rights":null,"url":"https://stock-news.laohu8.com/highlight/detail?id=2622850634","pubTimestamp":1774528988,"columns":[],"sourceInfo":null,"weMediaInfo":{"media_name":"Reuters","introduction":"Reuters.com brings you the latest news from around the world, covering breaking news in markets, business, politics, entertainment and technology","home_visible":1,"id":"1032215980","head_image":"https://community-static.tradeup.com/news/4567337cbdf294b657b1fa87c5488b48"},"summary":"Rapid7 Labs reported a sustained espionage campaign by a China-nexus threat actor, Red Menshen, involving long-term dormant footholds inside global telecommunications networks.The activity described includes use of a Linux kernel-level backdoor  designed to avoid opening ports and to limit conventional endpoint and network monitoring visibility.A newly identified malware variant was found to conceal command triggers within legitimate encrypted HTTPS traffic, including abuse of SSL termination points such as load balancers and proxies.The investigation also described targeting of telecommunications signaling protocols such as SCTP, enabling visibility into subscriber activity across 4G and 5G networks.Rapid7 released an open-source scanning script intended to detect previously documented BPFdoor variants and newer samples.Disclaimer: This news brief was created by Public Technologies  using generative artificial intelligence. While PUBT strives to provide accurate and timely information","collect":0,"end_time":0,"defaultTopTitle":"","property":[],"viewcount":null,"language":"en","relate_stocks":{"BK4097":"系统软件","RPD":"Rapid7, Inc.","LU1878469433.USD":"THREADNEEDLE (LUX) - AMERICAN SMALLER COMPANIES \"A\" (USD) ACC"},"translate_title":"Rapid7 Labs报告指出中国-nexus在全球电信网络中的“潜伏细胞”；调查结果于2026年3月26日发布","themeId":null,"isJumpTheme":false,"ttsUrl":null,"symbols_score_info":{"RPD":0.9},"content_text":"Rapid7 Labs report flags China-nexus “sleeper cells” in global telecom networks; findings published March 26, 2026\n    \n\n\n          Rapid7 Labs reported a sustained espionage campaign by a China-nexus threat actor, Red Menshen, involving long-term dormant footholds inside global telecommunications networks.\n        \n\n          The activity described includes use of a Linux kernel-level backdoor (BPFdoor) designed to avoid opening ports and to limit conventional endpoint and network monitoring visibility.\n        \n\n          A newly identified malware variant was found to conceal command triggers within legitimate encrypted HTTPS traffic, including abuse of SSL termination points such as load balancers and proxies.\n        \n\n          The investigation also described targeting of telecommunications signaling protocols such as SCTP, enabling visibility into subscriber activity across 4G and 5G networks.\n        \n\n          Rapid7 released an open-source scanning script intended to detect previously documented BPFdoor variants and newer samples.\n        \n\n\n\n\n\nDisclaimer: This news brief was created by Public Technologies (PUBT) using generative artificial intelligence. While PUBT strives to provide accurate and timely information, this AI-generated content is for informational purposes only and should not be interpreted as financial, investment, or legal advice. Rapid7 Inc. published the original content used to generate this news brief on March 26, 2026, and is solely responsible for the information contained therein.","kind":"highlight","is_publish_news":true,"is_publish_highlight":false,"is_publish_live":false,"is_publish_wemedia":null,"editions":null,"column":"","sentiment":"0","news_tag":"","news_rank":0,"symbols":[],"gpt_button":0,"need_auth":true,"code":"91000000","status":"200"}}}