A China-linked hacking group has been targeting telecommunications providers in Asia Pacific and parts of the Middle East with new malware for both Linux and Windows systems. Researchers at Lumen Black Lotus Labs and PwC attributed the campaign to Calypso, also called Red Lamassu, and say it has been active since at least mid-2022. The Linux implant, Showboat, is a modular post-compromise framework used for persistence, file transfer, and SOCKS5 proxying to move through victim networks, while the Windows implant, JFMBackdoor, uses DLL sideloading and supports remote commands, file operations, registry changes, screenshots, and anti-forensics.
Why it matters: Telecom providers are high-value targets because they sit in the middle of sensitive communications and critical infrastructure. Organizations in the sector should hunt for these malware families and related telecom-themed impersonation domains, review persistence mechanisms and proxy activity, and check Linux and Windows systems for signs of long-term intrusion.
Bill Toulas
2026.05.21
100% relevant
This article appears to be the first tracked item establishing this specific Calypso/Red Lamassu telecom espionage campaign and the newly reported Showboat and JFMBackdoor malware families.
← Back to all stories