HomeWinBuzzer NewsGTPDOOR: The Newly Uncovered Backdoor Targeting Global Telecom Networks

GTPDOOR: The Newly Uncovered Backdoor Targeting Global Telecom Networks

A new Linux malware, GTPDOOR, targets telecom networks and uses a novel communication method based on GTP.


The security community has unveiled details surrounding a sophisticated Linux backdoor, identified as GTPDOOR, which targets telecommunications carrier networks. This malicious software, discovered by the researcher known as HaxRob, represents a significant threat to global communication systems, utilizing an innovative command and control (C2) transport protocol based on the GPRS Tunnelling Protocol (GTP).

Method of Operation

GTPDOOR employs the GPRS Tunnelling Protocol (GTP) for its communication, distinguishing itself by using GTP-C signaling messages—typically reserved for control plane activities in mobile networks—to remain undetected within telecom infrastructure. The malware awaits a specific “magic” wakeup packet, specifically a GTP-C echo request message, to activate. This approach allows it to evade detection by not requiring active listening sockets or services, as it intercepts incoming UDP packets directly via a raw socket.

Once activated, GTPDOOR can execute commands and deploy a reverse shell, wrapping requests and responses within GTP_ECHO_REQUEST and GTP_ECHO_RESPONSE messages. Remarkably, it can also be covertly probed from an external network, sending back a specially crafted TCP packet as a signal of its presence, further complicating detection efforts.

Attribution and Impact

Cybersecurity experts attribute GTPDOOR to Light Basin, also known as UNC1945, a threat group linked to China with a history of targeting telecommunications entities. This group’s deep knowledge of telecom network architectures has enabled the deployment of specialized tools to access sensitive data, including call records and text messages. The discovery of GTPDOOR, with binaries uploaded to VirusTotal from Italy and China showing a low detection rate, underscores the ongoing sophisticated threat landscape facing global telecommunications.GPTDOOR-Attack-Path-DoubeAgent

The malware’s design targets outdated Red Hat Linux machines, highlighting vulnerabilities in legacy systems still operational within telecom networks. By mimicking legitimate processes, such as the syslog process, and requiring minimal adjustments to ingress firewall configurations, GTPDOOR exemplifies the stealth and sophistication of modern cyber threats and the necessity for ongoing vigilance and up-to-date security practices.

In response to this discovery, cybersecurity professionals have already begun developing and distributing Yara rules for detecting GTPDOOR’s presence, signaling the security community’s proactive steps in combating this threat. As telecommunications networks form the backbone of global communications, the emergence of tools like GTPDOOR poses significant risks, necessitating comprehensive security strategies to protect against such advanced cyber espionage activities.

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.