Showboat and – A China-aligned cyber-espionage campaign has been hitting telecommunications providers with two newly observed implants: Showboat, a modular Linux post-exploitation framework, and JFMBackdoor, a full-featured Windows espionage implant. The operation has been a
For three straight days. the numbers can look fine: networks respond. calls route. systems stay “up.” Then the malware does what it was built to do—quietly returns control of a compromised machine to its operator. turns the victim into a stepping stone. and sends what it finds back to a command-and-control server.
That’s the picture emerging from a China-aligned cyber-espionage operation targeting telecommunications providers with two newly observed malware families: Showboat for Linux systems and JFMBackdoor for Windows. The campaign has been active since at least mid-2022. and it targeted organizations across the Asia Pacific and parts of the Middle East.
Security researchers attribute the activity to the Calypso threat group, which is also tracked as Red Lamassu. To get close to the targets, the attackers set up and used multiple telecom-themed domains to impersonate their intended victims.
On Linux, the implant is built for persistence and staying power. The malware used in these attacks. dubbed Showboat/kworker. is described as a modular post-exploitation framework that Calypso uses for long-term persistence after an initial compromise. How that initial infection happened remains unknown.
Once Showboat is deployed, it begins collecting information about the host and sending it to a command-and-control server. From there, the tool can upload or download files, hide its own process, and establish persistence by creating a new service.
One capability, highlighted by Lumen’s Black Lotus Labs, centers on concealment. The malware’s “hide” command enables a process to conceal itself on a host machine. To do that. it retrieves code stored on external websites such as Pastebin or online forums. described by the researchers as a “dead drop.”.
Showboat doesn’t just watch. It also turns the compromised endpoint into a network pivot. Its most notable function is acting as a SOCKS5 proxy and a port-forwarding pivot point. giving the attackers a foothold on infected systems and allowing them to move to other machines inside the internal network.
On Windows. the path looks different but the goal is the same: gain remote control. keep access. and operate as a relay for follow-on activity. Researchers at PwC Threat Intelligence examined Red Lamassu’s infection chain on Windows and found it begins with the execution of a batch script that drops payloads used for a DLL-sideloading procedure involving fltMC.exe and FLTLIB.dll. Eventually, the final payload—JMFBackdoor—is loaded.
JMFBackdoor is described as a full-featured Windows espionage implant with reverse shell access for remote command execution on the infected machine. It also handles files through upload, download, modification, moving, and deletion. For network movement, it performs TCP proxying, using the victim system as a network relay into internal systems.
The implant can control what runs. It supports process and service management, including starting, stopping, creating, or killing processes and services. It can also manipulate the Windows registry by modifying registry keys and values.
To collect evidence for exfiltration, it takes screenshot captures of the victim’s desktop and encrypts the screenshots for exfiltration. It stores and manages malware settings using encrypted configuration storage. When the operation needs to hide its tracks, it supports self-removal and anti-forensics—hiding activity, removing persistence, and deleting traces.
There’s also a strategic layer to how the operation appears to be run. Infrastructure analysis suggests a partially decentralized operational model, in which multiple clusters share similar certificate-generation patterns and tooling but target distinct victim sets.
Lumen concludes that the tooling is likely shared across multiple China-aligned threat groups, each targeting different regions and using the same malware ecosystem.
The common thread across Linux and Windows is clear: once installed. both Showboat and JMFBackdoor are designed not just to survive—but to help attackers keep moving. For telecommunications organizations. that’s a particularly uncomfortable combination: the same networks built to carry traffic become the quiet infrastructure used to carry intrusions.
telcos malware Showboat JFMBackdoor Calypso Red Lamassu Linux implant Windows espionage SOCKS5 proxy telecom-themed domains Black Lotus Labs PwC Threat Intelligence
So they’re saying calls route and everything stays up… but like how are we supposed to know if our carrier is compromised? Seems kinda pointless if it doesn’t show.
China hackers again? I swear it’s always China. Next they’ll blame the weather or 5G. Also telcos always have weak security, so none of this surprises me.
Wait, “Showboat/kworker” sounds like a legit app name? I thought kworker was just Linux kernel stuff. If it’s hiding processes by pulling code from Pastebin, that doesn’t even sound real like… can you really just do that and stay invisible?
My buddy works at a telecom and he said this kind of thing is impossible because their systems are “air-gapped” lol. So either the article is wrong or he’s talking about some other part. Also they mentioned it’s been active since mid-2022, so how is anyone just now noticing for three days??