Full Report
For years now, Chinese state-aligned hackers have been spying on telecommunications companies in Central Asia and beyond, using a newly discovered Linux post-exploitation framework. The malware is called “Showboat,” or “kworker.” Black Lotus Labs observed different clusters of Showboat activity against totally dissimilar targets — from an Internet service provider (ISP) in Afghanistan to an…
Analysis Summary
# Threat Actor: Calypso (and associated Chinese APTs)
## Attribution & Identity
* **Actor Identification:** Calypso
* **Country of Origin:** China (State-aligned)
* **Known Associations:** Part of a broader ecosystem of Chinese Advanced Persistent Threats (APTs) that share tooling. PwC refers to related activity as "Red Lamassu."
* **Discovery:** Identified as a distinct entity around 2019.
## Activity Summary
Calypso and affiliated clusters have been engaged in a multi-year espionage campaign targeting telecommunications and service providers. Recent activity observed by Black Lotus Labs involves the deployment of a sophisticated Linux post-exploitation framework against targets in Central Asia and Eastern Europe. The sharing of the "Showboat" malware across "totally dissimilar targets" suggests a collaborative environment or a centralized tool-distribution hub among Chinese state actors.
## Tactics, Techniques & Procedures
* **Post-Exploitation:** Deployment of specialized frameworks for persistent access following initial compromise.
* **Cross-Platform Operations:** Simultaneous use of Linux-based frameworks and Windows backdoors to ensure coverage across varied server environments.
* **Camouflage/Masquerading:** Use of the filename "kworker" (a legitimate Linux kernel worker process) to evade detection during process audits.
* **Shared Tooling:** Trading of malware frameworks between different APT clusters to maximize utility and complicate attribution.
## Targeting
* **Sectors:** Telecommunications, Internet Service Providers (ISPs).
* **Geography:** Central Asia (Kazakhstan, Afghanistan), Turkey, India, and Eastern Europe (Ukraine - specifically the Donbas region).
* **Victims:** An Afghan ISP and an undisclosed entity in the Donbas region.
## Tools & Infrastructure
* **Malware Families:**
* **Showboat (aka "kworker"):** A newly discovered Linux post-exploitation framework used for long-term spying.
* **JFMBackdoor:** A Windows-based backdoor used in tandem with Showboat, featuring similar levels of sophistication.
* **Infrastructure:**
* Targets include specific IP addresses in disputed territories and ISP infrastructures.
* *(Note: Specific defanged C2 IPs and domains were not detailed in the provided excerpt beyond general geographic/sector descriptions.)*
## Implications
This activity highlights a significant focus by Chinese intelligence on "Digital Silk Road" regions (Central and South Asia). By compromising telecommunications providers, the actors gain the ability to monitor high-value communications upstream. The sharing of the "Showboat" framework indicates that Chinese APTs are becoming more efficient at distributing specialized Linux malware, which is often less scrutinized than Windows-based threats.
## Mitigations
* **Linux Process Auditing:** Monitor for suspicious "kworker" processes that are not originating from the kernel or are running from unexpected paths.
* **Network Segregation:** Implement strict segmentation for ISP core infrastructure to prevent lateral movement from edge devices to management planes.
* **Supply Chain & Edge Security:** Prioritize patching of edge-facing Linux devices, as these often serve as the entry point for post-exploitation frameworks like Showboat.
* **Behavioral Monitoring:** Use EDR/XDR solutions capable of identifying anomalous Linux shell activity and unauthorized persistent backdoor connections.