HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Chinese Espionage Group Calypso Deploys Showboat Linux and JFMBackdoor Windows Malware Against Telecom Providers

Chinese state‑aligned actors (Calypso/Red Lamassu) have been using new Linux (Showboat) and Windows (JFMBackdoor) implants to infiltrate telecom operators in APAC and the Middle East. The tools enable persistent footholds, proxying, and data exfiltration, raising significant third‑party risk for any services that rely on compromised networks.

LiveThreat™ Intelligence · 📅 May 21, 2026· 📰 bleepingcomputer.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
3 recommended
📰
Source
bleepingcomputer.com

Chinese Espionage Group Calypso Deploys Showboat Linux and JFMBackdoor Windows Malware Against Telecom Providers

What Happened — A Chinese state‑aligned cyber‑espionage campaign, attributed to the Calypso/Red Lamassu group, has been using two newly discovered implants—Showboat (Linux) and JFMBackdoor (Windows)—to infiltrate telecommunications operators across the Asia‑Pacific and the Middle East. The malware establishes long‑term persistence, acts as a SOCKS5 proxy, and exfiltrates files, screenshots, and registry data.

Why It Matters for TPRM

  • Telecom infrastructure is a critical supply‑chain component; compromise can cascade to downstream services.
  • The implants support lateral movement, increasing the attack surface of any third‑party services hosted on compromised networks.
  • Persistent, multi‑platform espionage tools indicate a mature threat actor capable of adapting to diverse environments.

Who Is Affected — Telecommunications carriers, network equipment vendors, and any third‑party service providers (e.g., cloud, SaaS) that operate within or support telco environments.

Recommended Actions

  • Review contracts and security attestations for telecom vendors; demand evidence of endpoint hardening and network segmentation.
  • Verify that all Linux and Windows systems used by telecom partners are patched, monitored for anomalous process behavior, and have strict outbound proxy controls.
  • Conduct threat‑hunts for indicators of Showboat/kworker and JFMBackdoor, focusing on unusual services, SOCKS5 traffic, and DLL‑sideloading patterns.

Technical Notes

  • Showboat/kworker: Linux post‑exploitation framework; unknown initial vector; capabilities include data collection, file staging, process hiding via external “dead‑drop” code, and SOCKS5 proxying.
  • JFMBackdoor: Windows espionage implant delivered via batch script and DLL‑sideloading (fltMC.exe + FLTLIB.dll); provides reverse shells, file management, TCP proxying, registry manipulation, screenshot capture, encrypted config, and anti‑forensics.
  • No CVE references; attack vector remains unknown.

Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/security/chinese-hackers-target-telcos-with-new-linux-windows-malware/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · PrivacyOps · CookiePLUS

Data exposure is where consent and DSAR readiness get tested.

When personal data leaks, regulators ask what consent you held and how fast you can answer a subject request. The Verisq AI Trust Operations platform, with CookiePLUS, keeps that posture audit-ready under GDPR and CCPA.

Explore the Verisq AI Trust Operations platform →