Rapid7 Labs Identifies State-Sponsored Sleeper Cells Embedded in Global Telecommunications Networks

Rhea-AI Summary

{"summary":"","positive":[],"negative":[],"faq":[]}

News Market Reaction – RPD

+1.79%

1 alert

+1.79% News Effect

On the day this news was published, RPD gained 1.79%, reflecting a mild positive market reaction.

Data tracked by StockTitan Argus on the day of publication.

Market Reality Check

Price: $5.27 Vol: Volume 1,622,295 is below...

low vol

$5.27 Last Close

Volume Volume 1,622,295 is below the 20-day average of 2,458,102, indicating muted trading ahead of this report. low

Technical Shares at $5.60 are trading below the 200-day MA of $16.48 and sit close to the 52-week low of $5.47.

Peers on Argus

While RPD was down 1.93%, key peers like RDWR and ATEN showed gains (e.g., RDWR ...

While RPD was down 1.93%, key peers like RDWR and ATEN showed gains (e.g., RDWR up 5.27%), and sector momentum scanners did not flag a coordinated move. This points to stock-specific dynamics rather than a sector-wide shift.

Historical Context

5 past events · Latest: Mar 19 (Positive)

Pattern 5 events

Date	Event	Sentiment	Move	Catalyst
Mar 19	Product enhancement	Positive	+1.9%	New cloud security capabilities for Exposure Command announced.
Mar 18	Threat report	Neutral	+0.2%	Global Threat Landscape Report highlighting surge in severe vulnerabilities.
Mar 17	Partner program update	Positive	-1.9%	PACT Partner Program enhancements to support partner-led growth.
Mar 03	Conference attendance	Neutral	+1.5%	Participation in Stifel 2026 NYC Technology One-on-One Conference.
Feb 24	Conference presentation	Neutral	+2.5%	Presentation at Raymond James 47th Institutional Investors Conference.

Pattern Detected

Recent news—product enhancements, threat reports, and conference participation—has more often aligned with modest positive price reactions, with only one notable divergence.

Recent Company History

Over the last months, Rapid7 has focused on platform enhancements, threat intelligence, and investor outreach. On Mar 19, new Exposure Command cloud security capabilities coincided with a +1.94% move. The 2026 Global Threat Landscape Report on Mar 18 saw a smaller +0.16% reaction. Updates to the PACT Partner Program on Mar 17 aligned with a -1.9% decline, a divergence from otherwise generally positive responses to news. Conference attendance announcements in early March and late February saw gains between +1.52% and +2.45%. Today’s telecom espionage research continues the pattern of intelligence- and capability-focused disclosures.

Market Pulse Summary

This announcement highlights Rapid7 Labs’ research into long-term espionage access in global telecom...

Analysis

This announcement highlights Rapid7 Labs’ research into long-term espionage access in global telecommunications infrastructure, including kernel-level backdoors and abuse of encrypted HTTPS traffic and SCTP-based signaling. The company released a free, open-source scanning script and integrated new detections into its offerings, extending themes from earlier threat reports and product enhancements in March 2026. Investors watching this story may focus on adoption of these capabilities, follow-on incident response demand, and how such research supports Rapid7’s positioning in managed cybersecurity operations.

Key Terms

linux kernel-level backdoor, https, ssl termination points, 4g, +2 more

6 terms

linux kernel-level backdoor technical

"The campaign uses a Linux kernel-level backdoor that operates without opening ports"

A linux kernel-level backdoor is covert or malicious code inserted into the core part (kernel) of a Linux operating system that gives hidden, high-level access and control over a computer or network while evading normal security checks. For investors, it matters because this kind of hidden master key can enable theft of sensitive data, disruption of business systems, regulatory fines, and loss of customer trust, all of which can lead to material financial and reputational damage.

https technical

"conceals command triggers within legitimate, encrypted HTTPS traffic"

HTTPS is the secure version of a website address that encrypts information sent between your browser and a site, like sending a sealed envelope instead of a postcard so others can’t read it if intercepted. For investors, HTTPS matters because it protects customer data, reduces risk of fraud and regulatory trouble, and boosts user trust and search visibility—factors that can influence traffic, sales and company reputation.

ssl termination points technical

"By abusing SSL termination points like load balancers and proxies"

SSL termination points are the locations in a company’s network where encrypted internet traffic is decrypted so the data can be inspected, routed or processed. They matter to investors because where and how decryption happens affects security, regulatory compliance, system speed and operational cost—like choosing whether to open and check every package at the front gate or at individual desks, which changes risk, expense and efficiency.

4g technical

"identity-related data across 4G and 5G networks"

4G is the fourth generation of cellular network technology that delivers faster internet, clearer calls, and better support for video and apps on mobile devices. Investors care because upgrades or expansions of 4G networks affect sales of phones and network equipment, change how consumers use data, and influence revenue and costs for telecom firms—think of it as a highway upgrade that lets more traffic flow faster, benefiting companies that build, run, or sell services on that road.

5g technical

"identity-related data across 4G and 5G networks"

5G is the fifth generation of wireless technology that provides faster internet connections, lower latency, and greater capacity than previous networks. It enables quicker downloads, smoother streaming, and more reliable connections for devices. For investors, 5G represents a significant upgrade in technology infrastructure that can drive growth in related industries such as smartphones, smart cities, and the Internet of Things.

packet-filtering layers technical

"visibility gaps into persistence at the kernel and packet-filtering layers"

Packet-filtering layers are parts of a network's defenses that examine small chunks of data passing in and out of a system and decide whether to block or allow them, like a security guard checking envelopes for suspicious content before delivery. For investors, they matter because effective filtering reduces the risk of cyberattacks, data breaches, downtime and related regulatory fines, which can protect a company's revenue, reputation and operating costs.

AI-generated analysis. Not financial advice.

Research reveals long-term espionage access inside telecommunications infrastructure with implications for government communications and critical systems

BOSTON, March 26, 2026 (GLOBE NEWSWIRE) -- Rapid7 (NASDAQ: RPD), a global leader in AI-powered managed cybersecurity operations, released findings from a months-long research investigation from Rapid7 Labs, “Sleeper Cells in the Telecom Backbone,” detailing a sustained espionage campaign conducted by a China-nexus threat actor, Red Menshen, with covert access inside global telecommunications infrastructure.

The research highlights a shift from opportunistic intrusion to deliberate, long-term pre-positioning inside telecommunications networks. These “sleeper cells” are designed to remain undetected while providing persistent visibility into subscriber activity, signaling systems, and sensitive communications—enabling ongoing intelligence collection across environments that support government, commercial, and critical infrastructure operations.

“If you have access to telecommunications infrastructure, you are not just inside one company, you are operating close to the communication layer of entire populations, which makes this type of access highly valuable and elevates detection to a national-level concern,” said Raj Samani, chief scientist at Rapid7. “The activity we are seeing continues to evolve in ways that improve stealth and persistence, and organizations should treat detection as the start of investigation, not the end of it.”

The research also identifies critical visibility gaps into persistence at the kernel and packet-filtering layers. Without insight into these areas, service masquerading and stealth activation techniques can remain undetected for extended periods. Organizations must have preemptive detection strategies that identify unusual service masquerading and stealth activation mechanisms before they can be leveraged for high-level intelligence collection.

Key findings:

• Persistent access in telecommunications infrastructure: Rapid7 Labs identified coordinated activity establishing long-term, dormant footholds within global telecommunications environments.
• Kernel-level stealth using BPFdoor: The campaign uses a Linux kernel-level backdoor that operates without opening ports or generating typical beaconing activity, limiting visibility for traditional endpoint and network monitoring tools.
• Weaponization of encrypted traffic: A newly identified variant of the malware now conceals command triggers within legitimate, encrypted HTTPS traffic. By abusing SSL termination points like load balancers and proxies, the actor can bypass modern security controls to activate dormant implants.
• Access to telecommunications signaling systems: The investigation found targeting of specialized protocols such as SCTP, enabling visibility into subscriber activity, including location tracking and identity-related data across 4G and 5G networks.
• Service masquerading within telecommunications environments: The malware mimics legitimate infrastructure and management services, including hardware monitoring and container components, to blend into routine operational activity.
  

“This is not traditional espionage, it is pre-positioning inside the infrastructure that nations depend on,” said Christiaan Beek, vice president of cyber intelligence at Rapid7. “We are seeing a persistent access model where attackers embed within core communications systems and maintain that access over extended periods.”

Rapid7 is working with organizations it believes may be impacted and, to support defenders in identifying potential BPFdoor activity, has released a free, open-source scanning script. The scanning script is designed to detect both previously documented BPFDoor variants and newer samples, and is available to assist organizations in proactively identifying potential compromises. Rapid7’s goal is to help defenders rapidly validate exposure and begin incident response investigations where necessary. In addition, Rapid7 has incorporated these findings across its detection capabilities, including retroactive threat hunting and updated intelligence available to customers through the Rapid7 Intelligence Hub.

On Thursday, March 26 at 12:20 p.m. PT at RSAC 2026 Conference in San Francisco, Christiaan Beek will be presenting the full scope of this research in his session, “Sleeper Cells in the Telecom Backbone.”

On Monday, March 30, Raj Samani and Christiaan Beek will discuss the findings and the impact on global telecommunications in this exclusive webinar.

About Rapid7

Rapid7, Inc. (NASDAQ: RPD) is a global leader in AI-powered managed cybersecurity operations, trusted to advance organizations’ cyber resilience. Open and extensible, the Rapid7 Command Platform integrates security data, enriching it with AI, threat intelligence, and 25 years of expertise and innovation to reduce risk and disrupt attackers. As a recognized leader in preemptive managed detection and response (MDR), Rapid7 unifies exposure and detection to transform the cybersecurity operations of more than 11,500 customers worldwide. For more information, visit our website, check out our blog, or follow us on LinkedIn or X.

Rapid7 Media Relations
Stacey Holleran
Sr. Manager, Global Communications
press@rapid7.com
(857) 216-7804

Rapid7 Investor Contact
Matt Wells
Vice President, Investor Relations
investors@rapid7.com
(617) 865-4277