CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Calypso APT leverages Showboat and JFMBackdoor in ongoing telecom espionage campaign

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A Chinese state-aligned cyber-espionage campaign attributed to the Calypso APT group has been targeting telecommunications providers since at least mid-2022 using newly identified malware families Showboat (Linux) and JFMBackdoor (Windows). The operation spans organizations across the Asia-Pacific and parts of the Middle East, with attackers establishing persistence, conducting espionage, and using compromised infrastructure as pivot points for lateral movement. The campaign employs modular malware frameworks, dead-drop communication techniques, and a partially decentralized operational model to maintain long-term access and operational security.

Timeline

  1. 21.05.2026 17:00 1 articles · 1h ago

    Showboat and JFMBackdoor malware deployed in Calypso APT telecom espionage campaign since 2022

    Calypso APT has leveraged new malware families Showboat (Linux) and JFMBackdoor (Windows) in a long-running espionage campaign targeting telecommunications providers across Asia-Pacific and the Middle East since at least mid-2022. Showboat establishes persistence as a service, collects host data, and functions as a SOCKS5 proxy pivot point, while JFMBackdoor delivers reverse shell access, file management, registry manipulation, screenshot capture, and anti-forensic features via DLL-sideloading. The threat actor uses telecom-themed domains for impersonation and operates with a partially decentralized infrastructure model, with shared tooling and certificate patterns observed across multiple clusters.

    Show sources
    Open in new tab

Information Snippets

  • Calypso APT (also tracked as Red Lamassu) has conducted a sustained espionage campaign against telecommunications providers since at least mid-2022.

    First reported: 21.05.2026 17:00
    1 source, 1 article
    Show sources

  • Showboat is a modular Linux post-exploitation framework deployed as a service for long-term persistence on compromised systems.

    First reported: 21.05.2026 17:00
    1 source, 1 article
    Show sources

  • Showboat collects host information and transmits data to C2 servers, supports file upload/download, process hiding via dead-drop retrieval (e.g., Pastebin, forums), and functions as a SOCKS5 proxy for pivoting within internal networks.

    First reported: 21.05.2026 17:00
    1 source, 1 article
    Show sources

  • The Windows payload, JFMBackdoor, is delivered via a batch script initiating DLL-sideloading using fltMC.exe and FLTLIB.dll, with final payload loaded into memory.

    First reported: 21.05.2026 17:00
    1 source, 1 article
    Show sources

  • JFMBackdoor provides full-featured espionage capabilities including reverse shell access, file management, TCP proxying, registry manipulation, screenshot capture, and encrypted configuration storage.

    First reported: 21.05.2026 17:00
    1 source, 1 article
    Show sources

  • The threat actor uses telecom-themed domains to impersonate target organizations and adopts a partially decentralized infrastructure model with shared tooling and certificate patterns across multiple clusters.

    First reported: 21.05.2026 17:00
    1 source, 1 article
    Show sources

  • Researchers at Lumen's Black Lotus Labs and PwC Threat Intelligence attribute the campaign and describe shared malware ecosystems likely used across multiple China-aligned groups.

    First reported: 21.05.2026 17:00
    1 source, 1 article
    Show sources