A China-linked espionage group has embedded kernel-level implants and passive backdoors within global telecommunications infrastructure to maintain long-term access. These sophisticated sleeper cells target high-level government networks and critical environments using stealthy tools designed to inhabit systems rather than just breach them.

Security researchers have identified a coordinated campaign involving state-sponsored actors who have infiltrated telecommunications backbone infrastructure worldwide. These intruders deploy specialized kernel implants and backdoors to establish a persistent presence, focusing on high-value targets including government networks. Rather than conducting traditional short-term attacks, the operation is characterized by its ability to remain dormant and undetected within critical environments for extended periods.

Initial access is often gained by exploiting vulnerabilities in public-facing applications or using compromised credentials from major vendors such as Cisco, Fortinet, and Palo Alto Networks. Once inside, the hackers deploy Linux-based beacon frameworks, such as CrossC2, to facilitate lateral movement and command execution across the network. This stage of the operation allows the actors to move beyond the initial point of entry and begin the process of embedding their long-term access mechanisms.

A central component of this campaign is the use of BPFdoor, a stealthy backdoor that leverages Berkeley Packet Filter functionality to inspect network traffic directly within the kernel. This tool remains inactive until it identifies a specific sequence of data within a packet, at which point it can trigger a command shell for the attackers. By operating at the kernel level, the malware can effectively bypass many standard security defenses and blend into the normal operational noise of a telecommunication system.

Recent variants of these tools have shown increased sophistication, such as embedding triggers within encrypted HTTPS traffic and mimicking legitimate containerization components. The attackers use precise data offsets and application-layer camouflage to ensure their commands reach the implants without raising alarms. This level of technical detail suggests a highly disciplined adversary focused on maintaining visibility into subscriber identity, mobility, and communication flows within the telecom core.

The findings highlight a broader trend of state-sponsored actors pre-positioning themselves within essential infrastructure to ensure readiness for future intelligence gathering or disruption. By targeting the underlying platforms that power modern networks, including bare-metal systems and cloud-native environments, the operators create a robust access layer that is difficult to eradicate. This activity mirrors other documented efforts by Chinese-linked groups to maintain a deep, quiet foothold within global critical infrastructure.

Source: https://www.rapid7.com/blog/post/tr-bpfdoor-telecom-networks-sleeper-cells-threat-research-report