“Sleeper Cells” In Telcos Seen Using Novel New BPFdoor Malware

The newly uncovered BPFdoor malware marks a shift in how attackers exploit the Linux kernel’s extended Berkeley Packet Filter (eBPF) subsystem. By embedding malicious code directly into eBPF programs, the threat can filter and reroute packets at the kernel level, effectively sidestepping traditional network defenses such as firewalls, intrusion detection systems, and deep packet inspection. Because eBPF runs in a privileged context yet is designed for high‑performance packet processing, BPFdoor achieves a level of stealth that conventional user‑space malware cannot match. This technique also allows rapid deployment across heterogeneous environments without needing custom binaries.

Telecommunications operators have become prime targets for such “sleeper cell” campaigns. Their backbone networks span continents, carry massive volumes of data, and often run on Linux‑based routers and switches that support eBPF natively. By planting BPFdoor within a telco’s infrastructure, adversaries gain persistent, low‑profile access to a critical segment of the internet, enabling data exfiltration, man‑in‑the‑middle attacks, or the staging of broader ransomware campaigns. The discovery underscores a growing convergence between nation‑state espionage tactics and financially motivated cybercrime, raising the stakes for global supply‑chain security.

Mitigating BPFdoor requires a layered approach that extends beyond perimeter defenses. Organizations should enforce strict eBPF program signing, limit privileged eBPF usage, and deploy kernel‑level monitoring tools capable of flagging anomalous packet‑filtering behavior. Vendors are already releasing patches and hardening guides, but rapid adoption is essential given the malware’s ability to hide in plain sight. As regulators tighten requirements for critical‑infrastructure resilience, telcos that invest in advanced telemetry and zero‑trust networking will be better positioned to detect and neutralize similar kernel‑level threats before they compromise service continuity.