Chinese hackers target telcos with new Linux, Windows malware By Bill Toulas May 21, 2026 10:00 AM 0 A Chinese cyber-espionage campaign has been targeting telecommunications providers with newly discovered Linux and Windows malware dubbed Showboat and JFMBackdoor, respectively. The operation has been active since at least mid-2022 and targeted organizations across Asia Pacific and parts of the Middle East. It was attributed to the Calypso threat group, also tracked as Red Lamassu. According to researchers at Lumen's Black Lotus Labs and PwC Threat Intelligence, the threat actor set up and used multiple telecom-themed domains to impersonate their targets. The Showboat Linux malware The Linux implant Calypso uses in these attacks, dubbed Showboat/kworker, is a modular post-exploitation framework built to for long-term persistence after initial compromise. The initial infection vector is unknown. According to a report today from Black Lotus Labs, once Showboat is deployed on a target system it starts collecting information about the host and sends it to a command-and-control (C2) server. The malware can also upload or download files, hide its own process, and establish persistence via a new service. “One notable feature is the 'hide' command, which enables a process to conceal itself on a host machine by retrieving code stored on external websites such as Pastebin or online forums for use as a “dead drop,” explained Lumen's Black Lotus Labs researchers explain. Pastebin page used in the attacks Source: Lumen Its most notable function is acting as a SOCKS5 proxy and port-forwarding pivot point, serving as a foothold on compromised endpoints and enabling the attackers to move to other systems on the internal network. SOCKS5 and portmap functionality Source: Lumen The JMFBackdoor Windows malware Researchers at PwC Threat Intelligence analyzed Red Lamassu's infection chain on Windows and note that it starts with the execution of a batch script that drops payloads to stage a DLL-sideloading procedure (fltMC.exe + FLTLIB.dll). Ultimately, the final payload called JMFBackdoor is loaded. The Windows attack chain Source: PwC According to the researchers, JFMBackdoor is a full-featured Windows espionage implant that has the following capabilities: Reverse shell access — Remote command execution on the infected machine. File management — Upload, download, modify, move, and delete files. TCP proxying — Uses the victim system as a network relay into internal systems. Process/service management — Start, stop, create, or kill processes and services. Registry manipulation — Modify Windows registry keys and values. Screenshot capture — Take screenshots of the victim's desktop and encrypt them for exfiltration. Encrypted configuration management — Store/update malware settings in encrypted configs. Self-removal and anti-forensics — Hide activity, remove persistence, and delete traces. Infrastructure analysis suggests that the hackers follow a partially decentralized operational model, in which multiple clusters share similar certificate-generation patterns and tooling but target distinct victim sets. Lumen concludes that the tooling is likely shared across multiple China-aligned threat groups, each targeting different regions and using the same malware ecosystem. The Validation Gap: Automated Pentesting Answers One Question. You Need Six. Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold. This guide covers the 6 surfaces you actually need to validate. Download Now Related Articles: New stealthy Quasar Linux malware targets software developers New GopherWhisper APT group abuses Outlook, Slack, Discord for comms JDownloader site hacked to replace installers with Python RAT malware Fake Claude AI website delivers new 'Beagle' Windows malware Threat actor uses Microsoft Teams to deploy new “Snow” malware