Chinese Hackers Caught Deep Within Telecom Backbone Infrastructure

Summary

A China-sponsored threat actor has embedded kernel-level implants and passive backdoors, including the BPFdoor Linux backdoor, deep within telecommunications backbone infrastructure worldwide for persistent espionage. The campaign targets public-facing applications on Ivanti, Cisco, Fortinet, VMware, and Palo Alto Networks appliances, using credential harvesters, CrossC2 beacons, and TinyShell for lateral movement and persistence. The sophisticated operation bypasses modern network defenses through encrypted HTTPS triggers, packet filtering, and camouflage techniques to maintain long-term access to critical telecom infrastructure.

Full text

A China-linked state-sponsored threat actor has deployed kernel implants and passive backdoors deep within telecommunication backbone infrastructure worldwide for long-term persistence, Rapid7 reports. The stealth digital sleeper cells have not been attributed to any known APT but are meant for high-level espionage, including against government networks, the cybersecurity firm says. The persistent tools were deployed as part of apparent discreet breaches that are characterized by recurring elements, suggesting an ongoing operation aimed at “embedding stealthy access mechanisms deep inside telecom and critical environments” for extended access. As part of its investigation, Rapid7 uncovered passive backdoors and kernel-level implants that have been used in combination with credential harvesters and cross-platform command frameworks. “Together, these components form a persistent access layer designed not simply to breach networks, but to inhabit them,” the cybersecurity firm warns. One of the central pieces of the campaign is BPFdoor, a stealthy Linux backdoor that was publicly detailed in 2021, and which uses Berkeley Packet Filter (BPF) functionality for packet inspection within the kernel, reacting to specific packets only.Advertisement. Scroll to continue reading. As part of the analyzed intrusions, public-facing applications and valid accounts were abused for initial access. The state-sponsored hackers targeted Ivanti, Cisco, Fortinet, VMware, and Palo Alto Networks appliances, as well as Apache Struts and other web-facing platforms. At the next step, the hackers deployed Linux beacon frameworks such as CrossC2, a Cobalt Strike-derived beacon often used by Chinese APTs for staging, command execution, and lateral movement. For persistence, the intruders often deploy the open source passive backdoor framework TinyShell. SSH brute-forcers and custom keyloggers are also deployed, along with “brute-force utilities containing pre-populated credential lists tailored for telecom environment,” Rapid7 says. The BPFDoor, which had its source code leaked online in 2022, is deployed in the Linux kernel and remains dormant, inspecting network traffic using the BPF filter. When a specific magic byte sequence is received inside a crafted packet, the backdoor spawns a bind shell or reverse shell. Rapid7 observed several BPFdoor samples used in the wild, all ELF files, although Solaris variants also exist, and released a scanner to help defenders identify potential infections. Some BPFdoor samples, the cybersecurity firm says, can mimic bare-metal infrastructure, posing as legitimate enterprise platforms to blend into operational noise. Others were seen spoofing core containerization components. In newer variants, the backdoor trigger is embedded within seemingly legitimate HTTPS traffic, and the attackers are carefully padding the request so that their marker always “lands exactly at the 26th byte offset of the inspected data structure,” which the implant checks. “The updated variant combines encrypted HTTPS triggers, proxy-aware command delivery, application-layer camouflage techniques, ICMP-based control signals, and kernel-level packet filtering to bypass multiple layers of modern network defenses,” Rapid7 notes. The cybersecurity firm underlines that BPFdoor’s capabilities make it more threatening than a typical, stealthy backdoor, turning it into an access layer to telecom backbone infrastructure. “Rather than targeting individual servers, the operators appear to focus on the underlying platforms that power modern telecommunication networks: bare-metal systems running telecom workloads, cloud-native Kubernetes environments hosting Containerized Network Functions, and the signaling protocols that coordinate subscriber identity, mobility, and communication flows,” Rapid7 notes. This is not the first time Chinese hackers have been caught deep inside critical infrastructure. In early 2024, CISA confirmed that Volt Typhoon had been “pre-positioning” across US organizations, only months after Mandiant warned of the hacking group being “clearly dug in”. In 2024, the networks of nine US telecom firms were hacked by Salt Typhoon, a Chinese state-sponsored group that continued targeting telecoms providers in 2025. Related: FCC Bans New Routers Made Outside the US Over National Security Risks Related: EU Sanctions Chinese, Iranian Firms Supporting Hacking Operations Related: Google Disrupts Chinese Hackers Targeting Telecoms, Governments Related: Singapore: Rootkits, Zero-Day Used in Chinese Attack on Major Telecom Firms Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire From Trivy to Broad OSS Compromise: TeamPCP Hits Docker Hub, VS Code, PyPIExtortion Group Claims It Hacked AstraZenecaChrome 146 Update Patches High-Severity Vulnerabilities3.1 Million Impacted by QualDerm Data BreachCritical Citrix NetScaler Vulnerability Poised for Exploitation, Security Firms WarnMazda Says Employee, Partner Information Stolen in CyberattackChip Services Firm Trio-Tech Says Subsidiary Hit by Ransomware Aqua’s Trivy Vulnerability Scanner Hit by Supply Chain Attack Latest News Cisco Patches Multiple Vulnerabilities in IOS SoftwareAlleged RedLine Malware Administrator Extradited to USDell and HP Roll Out Quantum-Resistant Device Security and AI-Era Cyber ResilienceOnit Security Raises $11 Million for Exposure Management PlatformRussian Cybercriminal Gets 2-Year Prison Sentence in US AI Speeds Attacks, But Identity Remains Cybersecurity’s Weakest LinkiOS, macOS 26.4 Roll Out With Fresh Security PatchesFCC Bans New Routers Made Outside the US Over National Security Risks Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveToken has appointed Katy Nelson as Chief Revenue Officer.Hemant Baidwan has joined Knox Systems as Chief Information Security Officer.The US Senate confirmed Markwayne Mullin as DHS Secretary.More People On The MoveExpert Insights Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• malware — BPFdoor
• malware — CrossC2
• malware — TinyShell
• mitre_attack — T1190
• mitre_attack — T1098
• mitre_attack — T1547.014