Skip to main content

Rapid7 Labs Identifies Long-Term Sleeper Cells in Telecommunications Infrastructure

March 26, 2026

Rapid7 released research from Rapid7 Labs describing a long-term espionage campaign with covert access inside global telecommunications infrastructure. The company said the findings relate to persistent visibility into subscriber activity and sensitive communications.

In the research, Rapid7 Labs characterized the activity as a shift from opportunistic intrusion to deliberate pre-positioning inside telecommunications networks. The report described “sleeper cells” designed to remain undetected while supporting ongoing intelligence collection across environments used by government, commercial, and critical infrastructure operations.

The technical description in the findings included kernel-level stealth via a Linux kernel-level backdoor operating without opening ports or generating typical beaconing activity, labeled “BPFdoor.” The research also described a newly identified malware variant that concealed command triggers within legitimate, encrypted HTTPS traffic by abusing Secure Socket Layer (SSL) termination points such as load balancers and proxies. It further cited targeting of specialized signaling systems using SCTP for visibility into subscriber activity, including location tracking and identity-related data across 4G and 5G networks, plus service masquerading that mimicked legitimate infrastructure and management services.

Rapid7 said it released a free open-source scanning script to detect previously documented BPFDoor variants and newer samples. The company said it incorporated the findings into its detection capabilities, including retroactive threat hunting and updated intelligence available through the Rapid7 Intelligence Hub. “If you have access to telecommunications infrastructure, you are not just inside one company, you are operating close to the communication layer of entire populations, which makes this type of access highly valuable and elevates detection to a national-level concern,” said Raj Samani, chief scientist at Rapid7. “This is not traditional espionage, it is pre-positioning inside the infrastructure that nations depend on,” said Christiaan Beek, vice president of cyber intelligence at Rapid7.

Forward-looking statements: On Thursday, March 26 at 12:20 p.m. PT at RSAC 2026 in San Francisco, Christiaan Beek will present the full scope of the research in a session titled “Sleeper Cells in the Telecom Backbone,” and on Monday, March 30, Raj Samani and Christiaan Beek will discuss the findings during an exclusive webinar.