Rapid7 Identifies Kernel-Level Backdoors and HTTPS Triggers in Global Telecom Infrastructure
Rapid7 Labs uncovered a China-nexus threat actor deploying Linux kernel-level backdoors and encrypted HTTPS triggers to establish persistent footholds in global telecommunications networks. The investigation shows abuse of SCTP signaling for subscriber tracking and service masquerading tactics, leading Rapid7 to issue a free scanning script and boost its threat-hunting tools.
1. Espionage Campaign Overview
Rapid7 Labs identified a sustained espionage campaign by a China-nexus threat actor, Red Menshen, embedding long-term access points within global telecommunications infrastructure. The actor shifted from opportunistic hacks to stealthy pre-positioning that targets government, commercial, and critical systems communications layers.
2. Key Technical Findings
The research detailed a Linux kernel-level backdoor called BPFdoor that operates without opening ports or generating beacon traffic, encrypted HTTPS command triggers abusing SSL termination points, and exploitation of SCTP signaling to track subscriber location and identity data across 4G and 5G networks.
3. Rapid7's Response and Tools
To help defenders detect and remediate these threats, Rapid7 released a free open-source scanning script capable of identifying known and new BPFdoor variants. The company also enhanced its threat-hunting frameworks and updated the Rapid7 Intelligence Hub with insights for retroactive detection and proactive incident response.