Chinese hackers target telcos with new Linux, Windows malware

A Chinese cyber-espionage campaign has been targeting telecommunications providers with newly discovered Linux and Windows malware dubbed Showboat and JFMBackdoor, respectively.

The operation has been active since at least mid-2022 and targeted organizations across the Asia Pacific and parts of the Middle East. It was attributed to the Calypso threat group, also tracked as Red Lamassu.

According to researchers at Lumen's Black Lotus Labs and PwC Threat Intelligence, the threat actor set up and used multiple telecom-themed domains to impersonate their targets.

The Showboat Linux malware

The Linux implant Calypso uses in these attacks, dubbed Showboat/kworker, is a modular post-exploitation framework built to  for long-term persistence after initial compromise. The initial infection vector is unknown.

According to a report today from Black Lotus Labs, once Showboat is deployed on a target system, it starts collecting information about the host and sends it to a command-and-control (C2) server.

The malware can also upload or download files, hide its own process, and establish persistence via a new service.

“One notable feature is the 'hide' command, which enables a process to conceal itself on a host machine by retrieving code stored on external websites such as Pastebin or online forums for use as a ‘dead drop’, Lumen's Black Lotus Labs researchers explain.

Pastebin page used in the attacks
Source: Lumen

Its most notable function is acting as a SOCKS5 proxy and port-forwarding pivot point, serving as a foothold on compromised endpoints and enabling the attackers to move to other systems on the internal network.

SOCKS5 and portmap functionality
Source: Lumen

The JMFBackdoor Windows malware

Researchers at PwC Threat Intelligence analyzed Red Lamassu's infection chain on Windows and noted that it starts with the execution of a batch script that drops payloads to stage a DLL-sideloading procedure (fltMC.exe + FLTLIB.dll). Ultimately, the final payload called JMFBackdoor is loaded.

The Windows attack chain
Source: PwC

According to the researchers, JFMBackdoor is a full-featured Windows espionage implant that has the following capabilities:

• Reverse shell access — Remote command execution on the infected machine.
• File management — Upload, download, modify, move, and delete files.
• TCP proxying — Uses the victim system as a network relay into internal systems.
• Process/service management — Start, stop, create, or kill processes and services.
• Registry manipulation — Modify Windows registry keys and values.
• Screenshot capture — Take screenshots of the victim's desktop and encrypt them for exfiltration.
• Encrypted configuration management — Store/update malware settings in encrypted configs.
• Self-removal and anti-forensics — Hide activity, remove persistence, and delete traces.

Infrastructure analysis suggests that the hackers follow a partially decentralized operational model, in which multiple clusters share similar certificate-generation patterns and tooling but target distinct victim sets.

Lumen concludes that the tooling is likely shared across multiple China-aligned threat groups, each targeting different regions and using the same malware ecosystem.