Stealth Chinese Cyber Operation Embedded Deep Inside Global Telecom Backbone Networks
scsecMarch 29, 20262 Mins read 
A China-linked state-sponsored threat actor has been discovered operating deep within global telecommunication backbone infrastructure, deploying advanced tools designed for long-term espionage, according to Rapid7.
The campaign involves stealthy “digital sleeper cells” that remain hidden inside critical systems, enabling persistent and high-level surveillance. While the activity has not been officially attributed to a known advanced persistent threat group, researchers believe it is part of an ongoing effort to embed covert access mechanisms within telecom and other critical environments.
Investigators identified a combination of kernel-level implants and passive backdoors, supported by credential harvesting tools and cross-platform command frameworks. These components work together to create a persistent access layer that allows attackers not just to infiltrate networks, but to remain embedded within them over long periods.
A central tool in the campaign is BPFdoor, a stealthy Linux backdoor first disclosed in 2021. It leverages Berkeley Packet Filter functionality within the kernel to monitor network traffic and only activates when it detects specially crafted packets containing a specific trigger sequence.
Initial access in these attacks was often achieved by exploiting public-facing applications and valid user accounts. Targets included major enterprise technologies from Cisco, Fortinet, VMware, Palo Alto Networks, and Ivanti, as well as vulnerabilities in platforms like Apache Struts.
Once inside, attackers deployed tools such as CrossC2 for command execution, lateral movement, and staging. For persistence, they used TinyShell, an open-source passive backdoor framework, alongside SSH brute-force tools, custom keyloggers, and credential lists tailored specifically for telecom environments.
BPFdoor operates at the kernel level, remaining dormant while analyzing traffic. When triggered by a precise sequence of bytes in a crafted packet, it can open a bind shell or reverse shell, granting attackers remote access. Newer variants have evolved to hide triggers within encrypted HTTPS traffic, carefully positioning the activation marker at a specific byte offset to evade detection.
These updated versions also incorporate advanced evasion techniques, including proxy-aware communication, ICMP-based control signals, and application-layer camouflage, making them capable of bypassing modern network defenses.
Researchers warn that BPFdoor is more than a typical backdoor—it acts as a foundational access layer within telecom infrastructure. Instead of targeting individual systems, attackers focus on the core platforms powering communication networks, including bare-metal servers, cloud-native Kubernetes environments, and containerized network functions.
This discovery adds to a growing list of incidents involving Chinese state-linked cyber activity in critical infrastructure. In 2024, Volt Typhoon was found pre-positioning within US networks, while Salt Typhoon compromised multiple US telecom providers and continued operations into 2025.
The findings highlight an ongoing strategy focused on long-term access and intelligence gathering within the systems that underpin global communications.
1 Comment
Leave a Reply to scsec Cancel reply
Related Articles
Pro-Iranian Hackers Breach FBI Director Kash Patel’s Personal Email, Leak Private Documents
A pro-Iranian hacking group, known as Handala, has claimed responsibility for breaching...
Global Cybercrime Network Crumbles as Russia Arrests Alleged LeakBase Mastermind
Authorities in Russia have arrested a suspect believed to be behind LeakBase,...
FBI Warns of Iran-Linked Handala Hackers Spying on Windows Users via Fake Apps
The FBI has issued a warning about Iran-linked Handala Hack Group, which...
Police Shut Down 373,000 Dark Web Sites in Single-Operator CSAM Network
A massive international law enforcement operation has shut down more than 373,000...
The depth and sophistication of this operation are alarming. Embedding backdoors at the kernel level in global telecom networks shows how state-sponsored actors are shifting toward persistent, long-term espionage. Defending against such threats will require constant vigilance and advanced detection strategies.