Mar 29, 2026 · 6 min read
China Planted Sleeper Backdoors in Telecom Networks That Can Track Any Phone
Rapid7 discovered that Chinese state hackers embedded invisible backdoors deep inside the backbone of global telecom networks. The malware hides in the Linux kernel, activates through normal web traffic, and can monitor the real time location and communications of millions of subscribers.
What Rapid7 Found
On March 26, 2026, Rapid7 Labs published the results of a months long investigation into a state sponsored espionage campaign buried inside global telecommunications infrastructure. The threat actor, a China linked group known as Red Menshen (also tracked as Earth Bluecrow and DecisiveArchitect), had embedded what researchers call "sleeper cells" into the signaling layer of telecom networks across multiple countries.
The weapon of choice is BPFdoor, a Linux backdoor that operates at the kernel level by abusing Berkeley Packet Filter (BPF) technology. Unlike conventional malware, BPFdoor does not open any ports, does not maintain visible command and control channels, and does not show up in standard network scans. It simply sits inside the kernel, silently inspecting every packet that flows through the machine.
How the Backdoor Hides in Plain Sight
The original BPFdoor variants used "magic packets," specially crafted data sequences that would wake the malware up. Security teams eventually learned to look for those patterns. The new variant documented by Rapid7 abandons magic packets entirely.
Instead, the activation trigger is now embedded inside legitimate HTTPS traffic. The malware waits at SSL termination points such as load balancers and reverse proxies where encrypted traffic gets decrypted, then looks for mathematical padding markers at specific byte offsets. Once it recognizes the trigger buried in what appears to be ordinary web traffic, it activates a reverse shell giving the operator full access.
The implant also disguises itself by impersonating legitimate processes. On some systems, BPFdoor renames itself to look like HPE server management tools or Docker daemon processes. Traditional endpoint detection tools see what appears to be normal infrastructure software.
Why Telecom Networks Are the Target
Telecom backbone infrastructure is not like a typical corporate network. It carries signaling traffic using protocols like SCTP, Diameter, and SS7 that control everything from call routing to subscriber authentication. An attacker with access to this layer does not need to hack individual phones. They can see the metadata and location of every device on the network.
Rapid7's investigation found that the implants specifically targeted SCTP traffic, which underpins both 4G and 5G core communications. This gives the operators visibility into subscriber activity including real time location tracking, International Mobile Subscriber Identity (IMSI) numbers, SMS message contents, and the newer 5G Subscription Concealed Identifiers (SUCI).
In practical terms, this means the threat actor could track the physical movements of any subscriber on a compromised network, monitor who they communicate with, and intercept message contents, all without ever touching the subscriber's device.
Who Is Red Menshen
Red Menshen has been active since at least 2021, primarily targeting telecom providers across the Middle East and Asia. The group's operations align with what researchers describe as a deliberate shift from opportunistic hacking to long term pre positioning inside critical infrastructure.
This campaign fits a broader pattern. China linked groups including Salt Typhoon and Volt Typhoon have been found embedded in American power grids, water systems, and telecommunications networks. The common thread is not immediate data theft but rather persistent access that could be activated during a geopolitical crisis.
What Defenders Should Watch For
Rapid7 published detection indicators including Suricata rules and hunting scripts on GitHub. The key signals include unusual raw socket usage on Linux systems, anomalous packet filtering behavior, processes masquerading as HPE management tools or Docker daemons, unexpected ICMP tunneling with specific byte markers, and high port network activity that does not match expected services.
The challenge is that BPFdoor is specifically designed to evade the tools most organizations rely on. It operates below the layer where standard endpoint detection works, does not create network connections that firewalls can block, and impersonates trusted system processes. Detecting it requires kernel level monitoring and deep packet inspection at the signaling layer, capabilities most telecom providers are still building.
The Bigger Picture
The BPFdoor campaign is not about stealing data in the traditional sense. It is about building persistent, population level surveillance capability inside the infrastructure that every phone and communication service depends on. The implants were designed to remain dormant for extended periods, activating only when needed and blending into normal traffic when not in use.
For journalists, activists, and anyone relying on mobile communications for sensitive work, this research confirms what security experts have long warned: the network itself can be the surveillance tool. Encryption protects the content of your messages, but metadata, including who you contact, when, and where you are when you do it, remains visible to anyone sitting at the telecom signaling layer. This kind of access is exactly what state intelligence agencies value most.
Rapid7's full technical report, including indicators of compromise and detection scripts, is available on their research blog.