Calypso telecommunications espionage campaign using Showboat and JFMBackdoor
Campaign
Summary
Hide ▲
Show ▼
A Calypso / Red Lamassu espionage campaign is targeting telecommunications providers with new Showboat and JFMBackdoor malware, increasing the risk of long-term compromise across Asia Pacific and parts of the Middle East. The operation has been active since at least mid-2022 and uses telecom-themed domains to impersonate victims. The malware supports persistence, C2 communication, and internal-network pivoting, which can deepen access after the initial intrusion.
Related Happenings
Y2K Operators Millenium RAT social-engineering distribution campaign
Campaign
H score73
First: 29.06.2026 17:30
Last: 29.06.2026 17:30
Sources 1
About this happening:
The **Y2K Operators** are running a **social-engineering distribution campaign** that spreads **Millenium RAT** through **booby-trapped downloads**, exposing users to remote compr...
Y2K Operators Millenium RAT social-engineering distribution campaign
CampaignAbout this happening: The **Y2K Operators** are running a **social-engineering distribution campaign** that spreads **Millenium RAT** through **booby-trapped downloads**, exposing users to remote compr...
StealC and Amadey infostealer infrastructure disruption
Malware Activity
H score69
First: 24.06.2026 18:25
Last: 24.06.2026 18:25
Sources 1
About this happening:
**StealC** and **Amadey** malware infrastructure was disrupted in **Operation Endgame**, cutting off the command-and-control services used to manage infected systems. Europol said...
StealC and Amadey infostealer infrastructure disruption
Malware ActivityAbout this happening: **StealC** and **Amadey** malware infrastructure was disrupted in **Operation Endgame**, cutting off the command-and-control services used to manage infected systems. Europol said...
Popa botnet forcing consumer TV boxes to relay traffic
Malware Activity
H score76
First: 18.06.2026 20:37
Last: 18.06.2026 20:37
Sources 1
About this happening:
**Popa** is an **Android-based botnet** that turns **consumer TV boxes** and related devices into relay infrastructure, maintaining encrypted connectivity and opening tunnels on d...
Popa botnet forcing consumer TV boxes to relay traffic
Malware ActivityAbout this happening: **Popa** is an **Android-based botnet** that turns **consumer TV boxes** and related devices into relay infrastructure, maintaining encrypted connectivity and opening tunnels on d...
Latest development: 03.07.2026 12:35
Google disabled NetNut accounts used for malware command-and-control, updated Google Play Protect to warn Android users, and disabled apps containing compromised SDKs while FBI legal actions and domain seizures targeted NetNut infrastructure. The coordinated disruption was described as degrading NetNut’s proxy network and shrinking the pool of devices available to the operator.
Vo1d botnet campaign targeting unofficial Android-based TV boxes
Campaign
H score88
First: 18.06.2026 20:37
Last: 18.06.2026 20:37
Sources 1
About this happening:
**NetNut** used the **Popa botnet** and deceptive SDKs on **off-brand Android-based smart TVs**, streaming media boxes, and unofficial apps to turn home connections into **residen...
Vo1d botnet campaign targeting unofficial Android-based TV boxes
CampaignAbout this happening: **NetNut** used the **Popa botnet** and deceptive SDKs on **off-brand Android-based smart TVs**, streaming media boxes, and unofficial apps to turn home connections into **residen...
Latest development: 03.07.2026 12:35
Google disabled all Google accounts used by NetNut for malware command-and-control, updated Google Play Protect to warn Android users, and disabled apps containing the compromised SDKs. The FBI’s seizure banner appeared on netnut.com while netnut.io briefly remained accessible, and Google said the coordinated actions caused significant degradation to NetNut’s proxy network and business operations.
SprySOCKS Windows backdoor activity against government organizations
Malware Activity
H score23
First: 16.06.2026 12:00
Last: 16.06.2026 12:00
Sources 1
About this happening:
**SprySOCKS** now has documented **Windows variants**, **WIN_DRV** and **WIN_PLUS**, expanding a toolset first known as a **Linux-only backdoor**. The activity is tied to **govern...
SprySOCKS Windows backdoor activity against government organizations
Malware ActivityAbout this happening: **SprySOCKS** now has documented **Windows variants**, **WIN_DRV** and **WIN_PLUS**, expanding a toolset first known as a **Linux-only backdoor**. The activity is tied to **govern...
Timeline
-
21.05.2026 17:00 2 articles · 1mo ago
Calypso campaign disclosed with Showboat and JFMBackdoor
Initial DisclosureA Chinese cyber-espionage campaign attributed to Calypso, also tracked as Red Lamassu, targets telecommunications providers with newly discovered Showboat Linux malware and JFMBackdoor Windows malware. The operation uses telecom-themed domains to impersonate targets, has been active since at least mid-2022, and affects organizations across the Asia Pacific and parts of the Middle East. Showboat is described as a modular post-exploitation framework with host information collection, file transfer, process hiding, persistence, and SOCKS5 proxying, while JFMBackdoor supports reverse shell access, file operations, registry manipulation, screenshot capture, and internal-network relay.
Show sources
- Chinese hackers target telcos with new Linux, Windows malware — www.bleepingcomputer.com — 21.05.2026 17:00
- Chinese hackers target telcos with new Linux, Windows malware — www.bleepingcomputer.com — 21.05.2026 17:00