Chinese APT Calypso Deploys Showboat and JFMBackdoor Against Telecoms

Security researchers have identified a Chinese cyber-espionage campaign targeting telecommunications providers across the Middle East and Asia Pacific using two previously undocumented malware families. The operation, attributed to the Calypso APT group (also tracked as Red Lamassu), has been active since at least mid-2022 and employs distinct tooling for Linux and Windows environments.

The Linux implant, dubbed Showboat, functions as a modular post-exploitation framework with SOCKS5 proxy capabilities. Its Windows counterpart, JFMBackdoor, provides full remote access through DLL sideloading. Together, they give attackers persistent access to telecom infrastructure while maintaining the ability to pivot through compromised networks.

Showboat: Linux Persistence at Scale

According to analysis from PwC's threat intelligence team, Showboat is designed specifically for Linux servers—the backbone of most telecom operations. The malware establishes persistence through service installation and supports:

• Remote shell access — Interactive command execution on compromised hosts
• File transfer — Upload and download capabilities for data exfiltration and tool staging
• SOCKS5 proxy — Network proxying that allows attackers to route traffic through compromised infrastructure
• Process hiding — A "hide" command that conceals the malware's process from system utilities

The process hiding capability is particularly sophisticated. Showboat retrieves obfuscation code from external websites including Pastebin and online forums, making detection more difficult and allowing operators to update evasion techniques without touching the deployed malware.

The Hacker News reports that Showboat's modular architecture allows operators to load additional capabilities as needed, adapting to specific target environments.

JFMBackdoor: Windows Access

The Windows component arrives through DLL sideloading, exploiting a legitimate executable to load the malicious payload. Once active, JFMBackdoor provides:

• Full remote shell capabilities
• File system operations
• Network proxying for lateral movement
• Screenshot capture
• Self-removal to evade forensic analysis

The dual-platform approach makes sense for telecom targeting. While core network infrastructure typically runs Linux, administrative systems, databases, and corporate networks often mix Windows environments. Having purpose-built tools for both operating systems lets Calypso move laterally regardless of what they encounter.

Attribution and Geographic Focus

Researchers have linked the campaign to China through multiple indicators. BleepingComputer notes that command-and-control infrastructure traces back to IP addresses geolocated to Chengdu, the capital of Sichuan province—a known hub for Chinese state-affiliated cyber operations.

Confirmed victims include an ISP in Afghanistan and an entity in Azerbaijan. Researchers also identified potential compromises in the United States and Ukraine, though details on those intrusions remain limited.

The geographic spread aligns with broader Chinese strategic interests. Telecom providers offer attractive targets: access to communications metadata, potential for surveillance, and opportunities to intercept or manipulate traffic crossing their networks.

A Crowded Field

Calypso is one of several China-linked groups targeting telecommunications infrastructure. The Salt Typhoon campaign compromised at least eight U.S. telecom providers including Verizon, AT&T, and Lumen Technologies, exposing metadata on over a million people. Last year, we covered the Webworm APT's deployment of EchoCreep and GraphWorm malware against European targets, using Discord and Microsoft Graph for command-and-control.

Chinese APT groups have systematically targeted the telecommunications sector globally, often sharing tools and techniques. PwC's analysis suggests Showboat and JFMBackdoor may have been employed by more than one threat activity cluster, indicating possible tool sharing among affiliated groups.

Defending Telecom Infrastructure

Organizations in the telecommunications sector should assume they are targets and implement detection for:

Network indicators:

• Unexpected outbound SOCKS5 connections from Linux servers
• Traffic to Pastebin or similar paste sites from production systems
• DLL sideloading attempts on Windows systems

Host indicators:

• New or modified systemd services on Linux hosts
• Processes with hidden identities using kernel techniques
• Suspicious DLL loading patterns on Windows

The telecom sector's critical role in national infrastructure makes these intrusions a national security concern. Organizations should coordinate with relevant government agencies—in the U.S., that means CISA and the FBI—when detecting indicators associated with nation-state operations.

For organizations seeking deeper context on Chinese cyber operations targeting critical infrastructure, our cybersecurity books resource page includes recommended reading on state-sponsored campaigns.