Chinese Hackers Target Telecom Providers With New Windows and Linux Malware

A China-linked cyber-espionage campaign is targeting telecommunications providers with newly discovered malware for both Linux and Windows systems.

The campaign has been attributed to Calypso, also tracked as Red Lamassu, and has reportedly been active since at least mid-2022.

Telecom providers targeted

The attacks focus on organizations in the Asia Pacific region and parts of the Middle East. Researchers say the operators used telecom-themed domains to impersonate target organizations and support their infrastructure.

The findings come from Lumen’s Black Lotus Labs and PwC Threat Intelligence, which described a campaign built around long-term access, internal network movement, and stealth.

Windows attacks use JFMBackdoor

On Windows systems, the attack starts with a batch script that drops payloads for DLL sideloading.

The chain uses fltMC.exe and FLTLIB.dll before loading JFMBackdoor, a malware tool that gives attackers extensive control over infected devices.

JFMBackdoor can provide reverse shell access, upload and download files, manage processes and services, alter registry keys, and capture encrypted screenshots for exfiltration.

It can also act as a TCP proxy, store encrypted configuration data, and remove itself to reduce forensic traces.

Linux malware enables long-term access

The Linux malware, called Showboat or kworker, works as a modular post-exploitation framework.

Its initial infection method remains unknown, but once deployed, it can collect host information, communicate with a command-and-control server, upload and download files, hide its process, and create services for persistence.

Showboat can also retrieve code from external sites, including Pastebin and forums, which may help the attackers hide parts of their activity.

Network pivoting is the key concern

Showboat’s most important capability is its SOCKS5 proxy and port-forwarding support.

This lets attackers use compromised telecom systems as footholds and move deeper into internal networks. For telecom providers, that raises the risk of broader espionage, data theft, and long-term network monitoring.

Shared tools across China-aligned groups

Researchers believe the infrastructure points to a partially decentralized operation. Multiple clusters appear to share tooling and certificate-generation patterns.

Lumen believes the malware ecosystem may be shared across several China-aligned threat groups, with each group using similar tools against different regions.

The telecom campaign adds to a busy period for security teams. A Chrome botnet flaw was recently revealed, while Microsoft patched two actively exploited zero-day flaws.

GitHub has also confirmed that an internal breach was linked to the TanStack supply chain attack.

Via Bleeping Computer