Chinese hackers target telcos with new Linux, Windows malware

Researchers from Lumen's Black Lotus Labs and PwC describe a Chinese-aligned espionage campaign active since mid-2022 that targets telecom providers across the Asia Pacific and parts of the Middle East. The actor, tracked as Calypso/Red Lamassu, uses a modular Linux implant called Showboat (kworker) offering SOCKS5/port-forwarding, host reconnaissance, file transfer, process hiding and persistence, and a Windows implant called JMFBackdoor delivered via DLL sideloading which provides reverse shell, file management, TCP proxying, process/service control, registry manipulation, screenshot capture, encrypted configs, and anti-forensics capabilities, with infrastructure and tooling shared across clusters.