Full Report
A Chinese cyber-espionage campaign has been targeting telecommunications providers with newly discovered Linux and Windows malware dubbed Showboat and JFMBackdoor, respectively. [...]
Analysis Summary
# Threat Actor: Calypso
## Attribution & Identity
* **Name/Alias:** Calypso
* **Aliases:** Red Lamassu
* **Origin:** China (China-aligned)
* **Known Associations:** Part of a broader ecosystem where tooling is likely shared across multiple Chinese threat clusters; operational models suggest decentralized clusters sharing certificate-generation patterns.
## Activity Summary
* **Campaign Period:** Active since at least mid-2022 through 2024.
* **Recent Activity:** A cyber-espionage campaign focused on telecommunications providers. The threat actor used telecom-themed domains to impersonate target organizations and deployed newly discovered malware families for long-term persistence and internal network pivoting.
## Tactics, Techniques & Procedures
* **DLL Side-Loading:** Used on Windows systems (e.g., using `fltMC.exe` to load a malicious `FLTLIB.dll`).
* **Dead Drop Resolvers:** Utilizing external websites like Pastebin or online forums to host code or configuration used by the "hide" command.
* **Persistence:** Establishing new services on Linux and Windows platforms.
* **Internal Pivoting:** Utilizing SOCKS5 proxies and port-forwarding to move laterally from a compromised foothold.
* **Impersonation:** Registering and using domains that mimic the branding and infrastructure of targeted telecommunications providers.
* **Anti-Forensics:** Capabilities to hide processes, remove persistence mechanisms, and delete traces of activity.
## Targeting
* **Sectors:** Telecommunications providers.
* **Geography:** Asia Pacific and parts of the Middle East.
* **Victims:** Specific organizations were not named, but identified as regional telcos.
## Tools & Infrastructure
* **Showboat (aka kworker):** A modular Linux post-exploitation framework and SOCKS5 proxy/pivot tool.
* **JFMBackdoor:** A full-featured Windows espionage implant with reverse shell, file management, and screenshot capabilities.
* **Infrastructure:**
* Command-and-Control (C2) servers.
* Telecom-themed decoy domains.
* External "dead drop" sites (e.g., `pastebin[.]com`).
* Shared certificate-generation patterns across operational clusters.
## Implications
Calypso represents a highly disciplined espionage threat focused on critical infrastructure. By targeting telecommunications providers, the group gains the ability to monitor communications, map out network topologies, and maintain a persistent presence within a nation's digital backbone. The use of custom, modular malware for both Linux (common in telco server environments) and Windows (common in administrative environments) indicates a comprehensive approach to infiltrating enterprise networks.
## Mitigations
* **Monitor DLL Side-Loading:** Implement detection for common Windows binaries (like `fltMC.exe`) loading unsigned or unexpected DLLs from non-standard paths.
* **Audit Linux Services:** Regularly scan for newly created or suspicious system services and hidden processes on Linux servers.
* **Network Segmentation:** Restrict the use of SOCKS5 proxies and port-forwarding tools within the internal network to prevent lateral movement.
* **Egress Filtering:** Block or monitor connections to known "dead drop" sites like Pastebin from critical server infrastructure.
* **DNS Monitoring:** Monitor for newly registered domains that use company-specific keywords or variations of the organization’s primary domain.