BPFdoor backdoors found inside telecom networks in long-term espionage campaign

A long-running cyber espionage campaign has planted stealthy BPFdoor backdoors inside telecom networks, giving attackers covert access to systems that sit deep inside critical communications infrastructure. Rapid7 says the activity is tied to a China-nexus threat actor it tracks as Red Menshen, and the goal appears to be long-term intelligence collection rather than quick disruption.

This is serious because telecom networks carry far more than ordinary business traffic. They support subscriber authentication, mobility events, routing, and signaling across national and international networks. Rapid7 says access at this layer can expose sensitive metadata and create downstream risk for government and other high-value targets that depend on those carriers.

The campaign appears broad in scope. Rapid7 says victims span South Korea, Hong Kong, Myanmar, Malaysia, Egypt, and parts of the Middle East. The company also says the intrusions were designed to maintain hidden access for extended periods, which is why the report describes them as digital sleeper cells inside the telecom backbone.

What BPFdoor does

At the center of the campaign is BPFdoor, a stealthy Linux backdoor that abuses Berkeley Packet Filter functionality. Unlike typical backdoors, it does not need to open a visible listening port or generate noisy outbound beacon traffic. Instead, it inspects packets in memory and activates only when it sees the right trigger. That makes it much harder to spot with common network and host monitoring tools.

Rapid7 says the latest samples show an important evolution. Older BPFDoor variants relied on crafted packets that defenders could sometimes hunt for. The newer variant can hide trigger commands inside normal HTTPS traffic after SSL termination, which lets it blend into legitimate internal network flows. Rapid7 also described a padding trick that ensures a marker lands at a fixed offset, helping the malware survive header changes caused by proxies and load balancers.

The researchers also found an ICMP-based control mechanism that lets infected servers relay commands to each other. In practice, that gives the attackers another quiet channel for control and movement inside the network without relying on more obvious command-and-control traffic.

Why telecom networks are such valuable targets

Telecom core environments handle subscriber identity, roaming, mobility, and signaling functions that support huge amounts of national traffic. That makes them very different from a normal enterprise network. An intruder with deep, persistent access here may gain visibility into communication patterns, subscriber identifiers, and movement-related events that help with state-level intelligence collection.

Rapid7 says this activity goes beyond opportunistic intrusion. The firm describes the campaign as deliberate pre-positioning inside critical infrastructure, with the threat actor aiming to stay hidden for the long term. That matters because an operation like this can outlast a normal incident response cycle if defenders focus only on edge systems and miss the quieter implants living farther inside the network.

How the malware hides in real environments

Some samples impersonated hpasmlited, a process associated with HPE ProLiant server environments, according to Rapid7. Others mimicked Docker and containerd components, which helps explain how the malware can blend into modern telecom stacks that rely on containers and Kubernetes-hosted network functions.

Rapid7 says the attackers often started from edge infrastructure such as VPN appliances, network devices, firewalls, ESXi hosts, and public-facing applications. After that, they used tools including CrossC2 and TinyShell, along with telecom-focused credential theft and post-exploitation activity, to deepen access and move toward the systems that mattered most.

BPFdoor campaign at a glance

Item	Details
Malware	BPFdoor
Threat actor	Red Menshen, described by Rapid7 as China-nexus
Main target	Telecom networks
Regions named	South Korea, Hong Kong, Myanmar, Malaysia, Egypt, Middle East
Key stealth method	Packet inspection through BPF without visible listening ports
Newer technique	Trigger delivery hidden inside legitimate HTTPS traffic
Other control method	ICMP-based relaying between compromised hosts
Main risk	Long-term covert access for espionage

Sources: Rapid7 Labs and Rapid7 press materials.

What defenders should do now

Rapid7 says defenders need better visibility into kernel-level activity, raw BPF filter behavior, and unusual high-port behavior on Linux systems. That is a notable point because many security teams monitor applications and standard network traffic far more closely than they monitor low-level packet filters inside Linux hosts.

The company has also released a free scanning script to help organizations detect both older and newer BPFdoor variants. For telecom operators and other organizations that run exposed Linux infrastructure, that gives defenders a concrete place to start while they review logs, network telemetry, and persistence mechanisms across sensitive systems.

Immediate priorities

• inspect Linux systems in sensitive network zones for suspicious BPF activity
• review SSL termination points and internal traffic paths for unusual trigger behavior
• hunt for process names that imitate expected infrastructure components
• investigate ICMP activity that does not fit normal operational patterns
• check edge appliances and public-facing systems for signs of earlier compromise
• run Rapid7’s detection script across exposed and high-value Linux assets

FAQ