Chinese Espionage Group Calypso Deploys Showboat Linux and JFMBackdoor Windows Malware Against Telecom Providers
What Happened — A Chinese state‑aligned cyber‑espionage campaign, attributed to the Calypso/Red Lamassu group, has been using two newly discovered implants—Showboat (Linux) and JFMBackdoor (Windows)—to infiltrate telecommunications operators across the Asia‑Pacific and the Middle East. The malware establishes long‑term persistence, acts as a SOCKS5 proxy, and exfiltrates files, screenshots, and registry data.
Why It Matters for TPRM —
- Telecom infrastructure is a critical supply‑chain component; compromise can cascade to downstream services.
- The implants support lateral movement, increasing the attack surface of any third‑party services hosted on compromised networks.
- Persistent, multi‑platform espionage tools indicate a mature threat actor capable of adapting to diverse environments.
Who Is Affected — Telecommunications carriers, network equipment vendors, and any third‑party service providers (e.g., cloud, SaaS) that operate within or support telco environments.
Recommended Actions —
- Review contracts and security attestations for telecom vendors; demand evidence of endpoint hardening and network segmentation.
- Verify that all Linux and Windows systems used by telecom partners are patched, monitored for anomalous process behavior, and have strict outbound proxy controls.
- Conduct threat‑hunts for indicators of Showboat/kworker and JFMBackdoor, focusing on unusual services, SOCKS5 traffic, and DLL‑sideloading patterns.
Technical Notes —
- Showboat/kworker: Linux post‑exploitation framework; unknown initial vector; capabilities include data collection, file staging, process hiding via external “dead‑drop” code, and SOCKS5 proxying.
- JFMBackdoor: Windows espionage implant delivered via batch script and DLL‑sideloading (fltMC.exe + FLTLIB.dll); provides reverse shells, file management, TCP proxying, registry manipulation, screenshot capture, encrypted config, and anti‑forensics.
- No CVE references; attack vector remains unknown.
Source: BleepingComputer