Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Calypso telecommunications espionage campaign using Showboat and JFMBackdoor

Campaign
First reported
Last updated
Happening score
H score 36
1 unique sources, 1 articles

Summary

Hide ▲

A Calypso / Red Lamassu espionage campaign is targeting telecommunications providers with new Showboat and JFMBackdoor malware, increasing the risk of long-term compromise across Asia Pacific and parts of the Middle East. The operation has been active since at least mid-2022 and uses telecom-themed domains to impersonate victims. The malware supports persistence, C2 communication, and internal-network pivoting, which can deepen access after the initial intrusion.

Related Happenings

Showboat Linux post-exploitation backdoor framework

Malware Activity
First: 21.05.2026 17:17 Last: 21.05.2026 17:17 Sources 1

About this happening: The **Showboat** Linux malware has been identified as a **modular post-exploitation framework** used since **at least mid-2022**, raising the risk of persistent access on compromi...

Open Happening

Showboat / kworker Linux post-exploitation malware activity

Malware Activity
First: 21.05.2026 17:00 Last: 21.05.2026 17:00 Sources 1

About this happening: Researchers tied **Showboat** / **kworker** to a stealthy **Linux post-exploitation framework** being reused across multiple Chinese threat clusters, raising concern that a shared...

Open Happening

Chinese state-aligned Showboat espionage campaign targeting telecoms in Central Asia

Campaign
First: 21.05.2026 17:00 Last: 21.05.2026 17:00 Sources 1

About this happening: A **multi-year Chinese state-aligned espionage campaign** is using **Showboat** to target **telecommunications companies in Central Asia and beyond**, increasing the risk of cover...

Open Happening

UAT-9244 South America telecom targeting campaign

Campaign
First: 06.03.2026 01:19 Last: 06.03.2026 01:19 Sources 1

About this happening: UAT-9244 is a China-linked campaign targeting telecommunication providers in South America since 2024. It compromises Windows, Linux, and edge devices to expand access across tele...

Latest development: 06.03.2026 10:22

The first documented phase centers on **TernDoor** targeting **Windows** hosts through **DLL side-loading** with `wsprint.exe` and `BugSplatRc64.dll`. After launch, it loads in memory and establishes persistence through a scheduled task or the Registry Run key.

Open Happening

APT24 BadAudio multi-delivery espionage campaign

Campaign
First: 21.11.2025 00:12 Last: 21.11.2025 00:12 Sources 1

About this happening: **APT24** is running a **three-year espionage campaign** with **BadAudio** that has expanded into multiple delivery methods, increasing the operation's reach and stealth. Since **...

Open Happening

Timeline

  1. 21.05.2026 17:00 2 articles · 6d ago

    Calypso campaign disclosed with Showboat and JFMBackdoor

    Initial Disclosure

    A Chinese cyber-espionage campaign attributed to Calypso, also tracked as Red Lamassu, targets telecommunications providers with newly discovered Showboat Linux malware and JFMBackdoor Windows malware. The operation uses telecom-themed domains to impersonate targets, has been active since at least mid-2022, and affects organizations across the Asia Pacific and parts of the Middle East. Showboat is described as a modular post-exploitation framework with host information collection, file transfer, process hiding, persistence, and SOCKS5 proxying, while JFMBackdoor supports reverse shell access, file operations, registry manipulation, screenshot capture, and internal-network relay.

    Show sources
    Open in new tab