Skip to main content
Explore our brands An Informa TechTarget Publication
close search
site logo

Espionage campaign targets telecom with stealthy Linux-based backdoor

A China-nexus actor has been able to gain long-term access in a bid to gather intel on government agencies and critical infrastructure providers.

Published March 27, 2026
David Jones's headshot
Reporter
Engineer repairs 5G cell tower.
Engineer uses smartphone while repairing a 5G cell tower. On Dec, 3, 2024, federal cyber authorities said China-linked attacks on U.S. telecom networks is widespread and actively evolving. In March 2026, researchers uncovered a new campaign using a stealthy Linux-based backdoor. Getty Images

A sophisticated China-nexus threat actor has embedded digital sleeper cells into the networks of telecom firms in multiple countries, according to a report released Thursday from cybersecurity firm Rapid7.

The adversary, tracked as Red Menshen, has used a stealthy, Linux-based implant called BPFdoor that is designed to function within the operating system kernel.

The goal is to run an espionage campaign against critical industry segments and government agencies, maintaining a long-term presence inside these networks, Rapid7 researchers said. There are similarities to campaigns previously launched by other China-nexus actors, including Volt Typhoon and Salt Typhoon, but the mechanisms have evolved and the strategic objectives of these attacks have a longer tail. 

“Based on what we’ve observed, the strongest evidence points to intelligence collection and long-term access, not immediate disruption,” said Christiaan Beek, vice president of cyber intelligence at Rapid7. “In telecom networks, that can mean visibility into signaling systems, subscriber-related data, communications metadata, and other high-value infrastructure functions.”

The backdoor is a malicious version of Berkeley Packet Filter that operates like a trapdoor built into the operating system. 

The BPFdoor functionality allows the attackers to operate at a stealth mode that avoids using visible command-and-control channels and does not expose listening ports, according to Rapid7. This enables the threat actor to maintain a long-term presence inside an organization without triggering most detection systems. 

The threat activity follows prior China-nexus activity linked to Volt Typhoon, which involved hackers gaining persistent access onto U.S. networks in preparation for a diversionary attack if the People’s Republic of China engaged in military actions against Taiwan. 

Salt Typhoon, a separate China-nexus actor, was capable of embeding itself inside the networks of major U.S. telecom firms for years. The group was able to gather data about communications of telecom customers, with a focus on high-profile political and military figures. 

Rapid7 said it has worked closely with government partners and various national Community Emergency Response Teams to share findings on the research. 

Security teams need to focus on improving visibility beyond the traditional perimeter, Beek said. 

“Organizations should hunt for unusual raw socket activity, anonymous packet-filtering behavior and service masquerading on critical Linux systems,” Beek told Cybersecurity Dive.

Telecom firms and other critical infrastructure providers also need to focus on exposed edge devices, containerized environments and signaling-related traffic, Beek added.

Filed Under: Threats

Editors' picks

Company Announcements

View all | Post a press release
Why Edge RF Awareness Is Essential for the M2M Era
From Digital Global Systems
March 16, 2026
Digital Global Systems logo
Realm.Security Rolls Out AI-Ready Security Data for the Modern SOC Ahead of RSA Conference
From Realm.Security
March 16, 2026
Realm.Security logo
CyberFOX AutoElevate Named a High Performer in G2’s Spring 2026 Report for Privileged Access M…
From CyberFOX
April 01, 2026
CyberFOX logo
AI Is Fueling Secrets Sprawl. GitGuardian Reports an 81% Surge of AI-Service Leaks as 29M Secr…
From GitGuardian
March 17, 2026
GitGuardian logo
Editors' picks
Latest in Threats
This website is owned and operated by Informa TechTarget, a global network that informs, influences and connects the world's technology buyers and sellers.

© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. An Informa PLC company.
Privacy policy | Terms of use | Take down policy | Cookie Preferences / Do Not Sell