Skip to main content
Emerging ThreatsMalware & Ransomware

Chinese hackers infiltrate telcos with Showboat, JFMBackdoor malware

Cramped network closet with equipment and cables, and a single laptop in the foreground.

“One notable feature is the 'hide' command, which enables a process to conceal itself on a host machine by retrieving code stored on external websites such as Pastebin or online forums for use as a ‘dead drop’,” Lumen's Black Lotus Labs researchers explain.

The campaign and its targets

Chinese-aligned cyber operators tracked as Calypso (also known as Red Lamassu) have conducted an espionage campaign against telecommunications providers across the Asia Pacific and parts of the Middle East since at least mid-2022, according to research published by Lumen's Black Lotus Labs and PwC Threat Intelligence. The actors used multiple telecom-themed domains to impersonate target organizations as part of their operations.

Showboat/kworker: the Linux foothold

Lumen identifies the group’s Linux implant as Showboat, also called kworker. Showboat is described as a modular post-exploitation framework built for long-term persistence after an initial compromise; the initial infection vector remains unknown. Once deployed, Showboat collects information about the host and exfiltrates that data to a command-and-control server. It can upload and download files, hide its own process, and establish persistence by creating a new service.

Showboat’s most notable features include a 'hide' command that can pull code from public web locations (Pastebin and online forums were cited) to act as a “dead drop,” and a capability to function as a SOCKS5 proxy and port-forwarding pivot point. Lumen notes that this proxying capability gives the attackers a foothold on compromised endpoints and enables movement to other systems inside the victim network.

JMFBackdoor: the Windows implant and infection chain

PwC Threat Intelligence mapped the Windows infection chain used by Red Lamassu. It begins with a batch script that drops files to stage DLL sideloading involving fltMC.exe and FLTLIB.dll, which then leads to loading the final payload known as JMFBackdoor.

  • JMFBackdoor is described as a full-featured Windows espionage implant with capabilities that include reverse shell access for remote command execution, file management (upload, download, modify, move, delete), and TCP proxying to relay network traffic into internal systems.
  • Additional built-in functions include process and service management (start, stop, create, kill), Windows registry manipulation, screenshot capture with encryption for exfiltration, encrypted configuration storage, and self-removal and anti-forensics functions to hide activity and remove persistence.

Shared tooling, decentralized operations

Infrastructure analysis in the reports indicates a partially decentralized operational model: multiple clusters exhibit similar certificate-generation patterns and reuse tooling while targeting different victim sets. Lumen concludes the tooling is likely shared across multiple China-aligned threat groups, with a common malware ecosystem applied to distinct regional targets.

What this means for telecommunications providers, security teams, and regional cyber defenders

Telecommunications providers: expect targeted impersonation attempts using telecom-themed domains and post-compromise implants designed to persist and relay traffic (Showboat’s SOCKS5 and JMFBackdoor’s TCP proxying are explicit examples).

Security and IT teams at affected enterprises: monitor for DLL sideloading behaviors that reference fltMC.exe and FLTLIB.dll, unusual service creation or hidden processes (including items that retrieve code from Pastebin or forum URLs), and the presence of SOCKS5 or port-forwarding pivots on endpoints.

Regional cyber defenders and CERTs: note the campaign’s geographic reach across the Asia Pacific and parts of the Middle East and the likelihood that similar tooling may appear in attacks attributed to distinct, China-aligned groups operating in other regions.

Calypso’s use of modular Linux and Windows implants, combined with a partly decentralized operational model and impersonation via telecom-themed domains, paints a picture of an adaptable espionage effort focused on long-term access rather than one-off disruption. The two implants described—Showboat/kworker on Linux and JMFBackdoor on Windows—cover common post-exploitation needs: data collection, lateral movement, encrypted configuration, and anti-forensics. Why those initial infection vectors remain unreported is one of the sharper questions the published material leaves in plain view.

Original reporting