Chinese Hackers Caught Deep Within Telecom Backbone Infrastructure

-

 


A China-linked state-sponsored threat actor has deployed kernel implants and passive backdoors deep within telecommunication backbone infrastructure worldwide for long-term persistence, Rapid7 reports.

The stealth digital sleeper cells have not been attributed to any known APT but are meant for high-level espionage, including against government networks, the cybersecurity firm says.

The persistent tools were deployed as part of apparent discreet breaches that are characterized by recurring elements, suggesting an ongoing operation aimed at “embedding stealthy access mechanisms deep inside telecom and critical environments” for extended access.

As part of its investigation, Rapid7 uncovered passive backdoors and kernel-level implants that have been used in combination with credential harvesters and cross-platform command frameworks.

“Together, these components form a persistent access layer designed not simply to breach networks, but to inhabit them,” the cybersecurity firm warns.

One of the central pieces of the campaign is BPFdoor, a stealthy Linux backdoor that was publicly detailed in 2021, and which uses Berkeley Packet Filter (BPF) functionality for packet inspection within the kernel, reacting to specific packets only.

As part of the analyzed intrusions, public-facing applications and valid accounts were abused for initial access. The state-sponsored hackers targeted Ivanti, Cisco, Fortinet, VMware, and Palo Alto Networks appliances, as well as Apache Struts and other web-facing platforms.

At the next step, the hackers deployed Linux beacon frameworks such as CrossC2, a Cobalt Strike-derived beacon often used by Chinese APTs for staging, command execution, and lateral movement.

For persistence, the intruders often deploy the open source passive backdoor framework TinyShell. SSH brute-forcers and custom keyloggers are also deployed, along with “brute-force utilities containing pre-populated credential lists tailored for telecom environment,” Rapid7 says.

The BPFDoor, which had its source code leaked online in 2022, is deployed in the Linux kernel and remains dormant, inspecting network traffic using the BPF filter. When a specific magic byte sequence is received inside a crafted packet, the backdoor spawns a bind shell or reverse shell.

Rapid7 observed several BPFdoor samples used in the wild, all ELF files, although Solaris variants also exist, and released a scanner to help defenders identify potential infections.

Some BPFdoor samples, the cybersecurity firm says, can mimic bare-metal infrastructure, posing as legitimate enterprise platforms to blend into operational noise. Others were seen spoofing core containerization components.

In newer variants, the backdoor trigger is embedded within seemingly legitimate HTTPS traffic, and the attackers are carefully padding the request so that their marker always “lands exactly at the 26th byte offset of the inspected data structure,” which the implant checks.

“The updated variant combines encrypted HTTPS triggers, proxy-aware command delivery, application-layer camouflage techniques, ICMP-based control signals, and kernel-level packet filtering to bypass multiple layers of modern network defenses,” Rapid7 notes.

The cybersecurity firm underlines that BPFdoor’s capabilities make it more threatening than a typical, stealthy backdoor, turning it into an access layer to telecom backbone infrastructure.

“Rather than targeting individual servers, the operators appear to focus on the underlying platforms that power modern telecommunication networks: bare-metal systems running telecom workloads, cloud-native Kubernetes environments hosting Containerized Network Functions, and the signaling protocols that coordinate subscriber identity, mobility, and communication flows,” Rapid7 notes.

This is not the first time Chinese hackers have been caught deep inside critical infrastructure. In early 2024, CISA confirmed that Volt Typhoon had been “pre-positioning” across US organizations, only months after Mandiant warned of the hacking group being “clearly dug in”.

In 2024, the networks of nine US telecom firms were hacked by Salt Typhoon, a Chinese state-sponsored group that continued targeting telecoms providers in 2025.


-Reference:https://www.securityweek.com/

Comments

Post a Comment

Popular posts from this blog

The Hidden Lag Killing Your SIEM Efficiency

-
Image
  If your security tools feel slower than they should, you’re not imagining it. Many IT teams blame their sluggish SIEM performance on query complexity or alert volume. But sometimes the real issue is much simpler: oversized input files quietly dragging your system down. Think about the last time you had to sift through a bloated PDF or an unoptimised log dump. Every unnecessary megabyte adds strain. Every redundant line eats up cycles. Your SIEM doesn’t just react to threats—it processes all incoming data, relevant or not. When it starts lagging, detection gets delayed, triage slows, and in the high-stakes world of threat response, even seconds count. We often focus on analytics and rule tuning, but upstream efficiency—what you feed into your system—deserves just as much attention. This article looks at how optimising your inputs unlocks downstream performance. Why Oversized Files Clog the Pipeline As data volumes grow, organisations face esca lating  data storage costs ,...
Read more

Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution

-
Image
Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution By : Rei Ibraima A newly discovered critical vulnerability in Veeam’s Backup & Replication software, designated as CVE-2025-23120, poses a significant security risk to enterprise environments. The flaw allows authenticated domain users to execute arbitrary code remotely, potentially leading to full compromise of backup infrastructures. About CVE-2025-23120 The vulnerability arises from an insecure deserialization issue within Veeam Backup & Replication components—particularly in the .NET classes Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary. Improper input validation in these components allows attackers to inject malicious serialized objects that are executed on the server side, resulting in Remote Code Execution (RCE). This issue affects systems where Veeam Backup & Replication is deployed in a domain-joined configuration, which—while common—is...
Read more

Lotus Panda Hacks SE Asian Governments With Browser Stealers and Sideloaded Malware

-
Image
The China-linked cyber espionage group tracked as Lotus Panda has been attributed to a campaign that compromised multiple organizations in an unnamed Southeast Asian country between August 2024 and February 2025. "Targets included a government ministry, an air traffic control organization, a telecoms operator, and a construction company," the Symantec Threat Hunter Team said in a new report shared with The Hacker News. "The attacks involved the use of multiple new custom tools, including loaders, credential stealers, and a reverse SSH tool." The intrusion set is also said to have targeted a news agency located in another country in Southeast Asia and an air freight organization located in another neighboring country. The threat cluster, per Broadcom's cybersecurity division, is assessed to be a continuation of a campaign that was disclosed by the company in December 2024 as a high-profile organization in Southeast Asia since at least October 2023. ...
Read more