Red Menshen’s Sleeper Cells Hijack the Global Telecom “Nervous System”

A months-long investigation by Rapid7 Labs has detailed the curtain on a quiet invasion. An advanced China-nexus threat actor, dubbed Red Menshen, has been found placing what researchers describe as “some of the stealthiest digital sleeper cells the team has ever seen” directly into the heart of global telecommunications networks.

These aren’t just hit-and-run data breaches; they are a calculated, long-term occupation of the world’s “central nervous system”.

The ultimate goal of Red Menshen is high-level espionage, specifically targeting government networks. By infiltrating telecom providers, the actors gain a strategic vantage point that compromises “the communications of entire populations”.

Once positioned inside the telecom core, these adversaries can monitor:

• Subscriber Identifiers and Metadata: Tracking who is talking to whom.
• Mobility Events: Large-scale subscriber tracking to monitor real-world movements.
• Signaling Protocols: Exploiting specialized protocols like SS7, Diameter, and SCTP that coordinate global connectivity.

The primary weapon in this campaign is BPFdoor, a stealth Linux backdoor that operates within the operating system kernel. Unlike traditional malware, BPFdoor is a master of invisibility:

• No Open Ports: It does not expose listening ports or visible command-and-control channels.
• Passive Inspection: It abuses Berkeley Packet Filter (BPF) functionality to inspect network traffic directly inside the kernel.
• The “Magic Packet”: The implant remains dormant until it receives a specifically crafted “magic packet” trigger, which then spawns a shell.

Rapid7 warns that this approach represents a massive shift in stealth tradecraft. By “positioning below many traditional visibility layers,” the implant can remain undetected even by defenders who know exactly what they are looking for.

Recent findings show that Red Menshen is evolving. Newer variants of BPFdoor no longer rely on simple “magic packets” that might be flagged by intrusion detection systems. Instead, they are now hiding their triggers inside legitimate HTTPS traffic.

This allows the malicious commands to travel through reverse proxies and firewalls as encrypted payloads. Once the traffic reaches the compromised host and is decrypted—a process known as SSL termination—the hidden command is extracted. “In essence… the code is concealed inside normal, encrypted web traffic, allowing it to pass through modern security controls before unlocking the trapdoor”.

Researchers discovered BPFdoor samples that mimic legitimate hardware management services for HPE ProLiant servers—hardware commonly used in 5G core deployments. By adopting names like “hpasmlited,” the malware “blends into expected operational noise on telecom-grade ProLiant infrastructure”.

The actors even spoof core containerization components like the Docker Daemon, adopting the exact command-line arguments of legitimate services to hide during forensic reviews.

For the telecommunications industry, the implications are severe. Compromise at this layer is no longer just about server persistence; it becomes “population-level visibility into subscriber behavior and location”.

Rapid7 Labs stresses that addressing this threat requires expanding defensive visibility beyond the traditional perimeter. Organizations must begin inspecting deeper infrastructure layers, including kernel-level operations and anomalous signaling plane activity, to find the sleeper cells before they wake up.