A China-linked state-sponsored hacking group has been found embedding highly stealthy malware deep inside global telecom infrastructure, raising concerns of long-term cyber espionage, a report has said.

The data by cybersecurity firm Rapid7 showed that the attackers have deployed advanced tools such as kernel-level implants and passive backdoors designed to stay hidden inside networks for long periods.

These tools act like “digital sleeper cells”, allowing hackers to quietly monitor systems and maintain access without being detected.

Although the activity has not been officially linked to any known advanced persistent threat (APT) group, experts believe the operation is aimed at high-level espionage, including potential surveillance of government and critical communication networks.

Rapid7’s investigation found that the attackers used a combination of techniques to gain and maintain access.

They exploited vulnerabilities in widely used systems from companies like Cisco, Fortinet, VMware, Palo Alto Networks and Ivanti, along with web platforms such as Apache Struts, to break into networks.

One of the key tools used in the campaign is a Linux-based backdoor known as BPFdoor.

This malware operates inside the system’s kernel and remains inactive while monitoring network traffic.

It only activates when it detects a specific hidden signal within data packets, making it extremely difficult to detect, the report said.

Once inside, the attackers deploy additional tools like credential harvesters, keyloggers and remote command frameworks to move across systems and maintain control.

They also use passive backdoors such as TinyShell to ensure continued access, even if some parts of the attack are discovered.

Rapid7 warned that the goal of the operation is not just to hack individual systems but to gain a foothold in the core infrastructure that powers telecom networks.

This includes both traditional systems and modern cloud-based environments like Kubernetes, which are widely used in telecom operations.

The report highlights that newer versions of the malware are even more advanced, hiding their signals inside normal-looking encrypted web traffic and using multiple techniques to bypass security layers.

Cybersecurity experts said such campaigns are particularly dangerous because they target the backbone of communication systems, allowing attackers to potentially monitor data flows, disrupt services, or prepare for future cyber operations.

Join the community of 2M+ industry professionals.

Subscribe to Newsletter to get latest insights & analysis in your inbox.

All about ETCISO industry right on your smartphone!