ACCORDING to Rapid7, a China-linked state-sponsored threat actor has deployed kernel implants and passive backdoors deep within telecommunication backbone infrastructure worldwide to enable long-term espionage. The operation features stealthy components such as BPFdoor, a Linux backdoor that uses Berkeley Packet Filter functionality to inspect traffic inside the kernel and can spawn a bind or reverse shell when a specific packet sequence is detected.
Public-facing applications and valid accounts were abused for initial access, with targets including Ivanti, Cisco, Fortinet, VMware, Palo Alto Networks appliances, and Apache Struts and other web-facing platforms. The campaign also deploys Linux beacon frameworks like CrossC2, TinyShell for persistence, and uses SSH brute-forcers and pre-populated credential lists tailored for telecom environments, alongside cross-platform command frameworks.
Rapid7 notes that the updated variants combine encrypted HTTPS triggers, ICMP-based control signals, and application-layer camouflage to bypass multiple network defenses, turning BPFdoor into an access layer for telecom infrastructure. This follows prior disclosures about Volt Typhoon and Salt Typhoon targeting critical telecom networks.