Back

Chinese APTs Target Telcos with Showboat and JFMBackdoor Malware

Severity: High (Score: 75.5)

Sources: Darkreading, pwc.com, Bleepingcomputer

Published: 2026-05-21 · Updated: 2026-05-21

Keywords: showboat, chinese, linux, calypso, asia, windows, malware

Severity indicators: malware

Summary

A China-based cyber-espionage group known as Calypso, also referred to as Red Lamassu, has been targeting telecommunications providers in Central Asia and the Asia Pacific region using newly discovered malware named Showboat (kworker) and JFMBackdoor. The operations have been active since at least mid-2022, with the malware facilitating long-term persistence and intelligence collection. Showboat is a Linux-based post-exploitation framework, while JFMBackdoor is a Windows backdoor capable of remote shell access, file operations, and more. The group has been observed using multiple telecom-themed domains to impersonate their targets. Researchers from PwC and Lumen's Black Lotus Labs have linked these activities to a broader network of Chinese APTs sharing tools and techniques. The malware's low detection rates suggest it has been operating under the radar, potentially gathering significant geopolitical intelligence. The ongoing nature of these attacks poses a serious risk to affected organizations. Key Points: • Calypso APT is targeting telcos in Central Asia and the Asia Pacific with Showboat and JFMBackdoor. • Showboat is a Linux post-exploitation framework that enables long-term persistence after compromise. • JFMBackdoor is a Windows backdoor with capabilities including remote access and file manipulation.

Detailed Analysis

**Impact** Telecommunications providers across the Asia Pacific region, including Kazakhstan, Afghanistan, India, and parts of the Middle East, are targeted by Chinese state-aligned threat actors. The campaign has been active since at least mid-2022, affecting multiple telcos and government entities. The attackers aim for long-term intelligence collection, risking sensitive communications data and operational disruption within critical telecom infrastructure. **Technical Details** Initial infection vectors remain unknown, but the attack chain includes DLL side-loading via a batch script that deploys the Windows JFMBackdoor and the Linux Showboat (kworker) post-exploitation framework. Showboat enables persistence, process hiding, SOCKS5 proxying, and lateral movement within internal networks. JFMBackdoor supports remote shell access, file operations, network proxying, screenshot capture, and self-removal. Infrastructure includes an open directory hosted on IP 23.27.201[.]160, associated TLS certificates, and telecom-themed domains. The malware ecosystem is shared among multiple China-aligned groups, with no specific CVEs reported. **Recommended Response** Monitor for network traffic to and from IP 23.27.201[.]160 and associated domains, and deploy detections for DLL side-loading behaviors involving fltMC.exe and FLTLIB.dll. Harden endpoint defenses to detect and block execution of suspicious batch scripts and post-exploitation tools exhibiting SOCKS5 proxy or process hiding capabilities. Investigate any presence of Showboat or JFMBackdoor artifacts and conduct network segmentation to limit lateral movement. No specific patches are identified; focus on behavioral detection and network monitoring.

Source articles (3)

  • Chinese hackers target telcos with new Linux, Windows malware — Bleepingcomputer · 2026-05-21
    A Chinese cyber-espionage campaign has been targeting telecommunications providers with newly discovered Linux and Windows malware dubbed Showboat and JFMBackdoor, respectively. The operation has been…
  • Chinese APTs Share Linux Backdoor in Central Asia Telco Attacks — Darkreading · 2026-05-21
    Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific "Showboat" doesn't show off, but…
  • Calypso uses Showboat — pwc.com · 2026-05-21
    PwC Threat Intelligence has been tracking a China-based threat actor we call Red Lamassu (a.k.a. Calypso) since 2019, observing its operations targeting telecommunications and government entities acro…

Timeline

  • 2022-06-01 — Showboat malware first observed: The Showboat malware was identified in cyber-espionage campaigns targeting telecommunications providers.
  • 2022-06-01 — JFMBackdoor malware first observed: The JFMBackdoor was linked to the same campaigns targeting telcos alongside Showboat.
  • 2025-07-01 — Open directory discovered: An open directory associated with Red Lamassu was found, containing malware samples including Showboat.
  • 2025-10-01 — Infection chain analysis published: Researchers detailed the infection chain for JFMBackdoor, highlighting its delivery via DLL side-loading.
  • 2026-05-21 — Current threat status reported: Ongoing operations by Calypso APT continue to pose significant risks to telecommunications providers.

Related entities

  • Calypso (Apt Group)
  • Red Lamassu (Apt Group)
  • Malware (Attack Type)
  • Afghanistan (Country)
  • Azerbaijan (Country)
  • India (Country)
  • Kazakhstan (Country)
  • Turkey (Country)
  • Ukraine (Country)
  • Vietnam (Country)
  • fltlib.dll.it (Domain)
  • namefuture.site (Domain)
  • newsprojects.online (Domain)
  • xcent.online (Domain)
  • Telecommunications (Industry)
  • 139.180.223.193 (Ipv4)
  • 166.88.11.196 (Ipv4)
  • 23.27.201.115 (Ipv4)
  • 23.27.201.160 (Ipv4)
  • 64.227.128.21 (Ipv4)
  • BPFDoor (Malware)
  • JFMBackdoor (Malware)
  • JMFBackdoor (Malware)
  • Kworker (Malware)
  • PlugX (Malware)
  • ShadowPad (Malware)
  • Showboat (Malware)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1059.001 - PowerShell (Mitre Attack)
  • T1059.003 - Windows Command Shell (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1090 - Proxy (Mitre Attack)
  • T1113 - Screen Capture (Mitre Attack)
  • T1543.003 - Windows Service (Mitre Attack)
  • T1574 - Hijack Execution Flow (Mitre Attack)
  • Linux (Platform)
  • Windows (Platform)
  • 176aec5d33c459a42e7e4e984a718c52e11213ef9a6aa961b483a836fc22b507 (Sha256)
  • 8b0e14e0684e00aee9cbf4fd22b2a5da08443f9a0f9ace4972803e29050bcc69 (Sha256)
  • a05fbe8734a5a5a994a44dee9d21134ad7108d24ab0749499fe24fc4b36c4cbc (Sha256)
  • b118f74dc2b974678a50349d04686f6b2df4b287a69e40c4513cd603c7271793 (Sha256)
  • PowerShell (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed