A Chinese cyber-espionage campaign has been targeting telecommunications providers with newly discovered malware designed for both Linux and Windows systems. The Linux malware has been named Showboat, while the Windows implant is known as JFMBackdoor.
The campaign has reportedly been active since at least mid-2022 and has targeted organizations across the Asia-Pacific region and parts of the Middle East. Researchers have linked the activity to the Calypso threat group, which is also tracked as Red Lamassu.
According to researchers from Lumen’s Black Lotus Labs and PwC Threat Intelligence, the attackers created several telecom-themed domains to impersonate their targets and support their operations. The exact method used to gain initial access is still unknown, but once the malware is deployed, it gives the attackers a strong foothold inside compromised networks.
The Linux malware, called Showboat or kworker, is a modular post-exploitation framework built for long-term persistence. After landing on a system, it collects information about the infected host and sends the data to a command-and-control server controlled by the attackers.
Showboat can upload and download files, hide its own process, and create a new service to maintain persistence on the infected machine. One of its notable features is a “hide” command, which allows a process to conceal itself by retrieving code from external websites such as Pastebin or online forums. Researchers described this as a type of “dead drop” method used to hide malicious activity.
The malware’s most important capability is its ability to work as a SOCKS5 proxy and port-forwarding tool. This allows the attackers to use the infected system as a pivot point and move deeper into the victim’s internal network.
On Windows systems, PwC researchers found that the attack begins with a batch script. This script drops payloads that prepare a DLL side-loading process using fltMC.exe and FLTLIB.dll. The final payload, JFMBackdoor, is then loaded on the infected device.
JFMBackdoor is a full-featured Windows espionage implant. It allows attackers to run remote commands, manage files, create reverse shells, use the victim’s system as a TCP proxy, control processes and services, modify Windows registry settings, capture screenshots, update encrypted configuration files, and remove traces of its activity.
Researchers also found that the attackers appear to use a partially decentralized infrastructure model. Several activity clusters share similar certificate-generation patterns and tools, but they appear to focus on different victim groups.
Lumen believes the malware ecosystem is likely being shared across multiple China-aligned threat groups. Each group may be using the same tools while targeting different regions and organizations, especially in the telecommunications sector.





