Calypso (Red Lamassu) Chinese APT hits APAC and Middle East telcos with Showboat Linux SOCKS5 backdoor and JMFBackdoor Windows RAT
Lumen Black Lotus Labs and PwC Threat Intelligence have detailed a Chinese cyber-espionage campaign tied to the Calypso group (also tracked as Red Lamassu) that has been hitting telecommunications providers across Asia Pacific and parts of the Middle East since mid-2022. The operators run a Linux post-exploitation framework called Showboat (or kworker) that doubles as a SOCKS5 proxy and port-forwarder, plus a Windows RAT called JMFBackdoor delivered via DLL-sideloading of fltMC.exe + FLTLIB.dll. Showboat retrieves a 'hide' command from public dead-drops like Pastebin to mask its process. The tooling appears to be shared across multiple China-aligned clusters targeting distinct victim sets.
- Check
- Hunt telco environments for processes named kworker or fltMC.exe with anomalous DLL loads (FLTLIB.dll). Inspect outbound traffic for SOCKS5 traffic to unexpected destinations. Check Pastebin requests.
- Affected
- Telecommunications providers across Asia Pacific and the Middle East. Multiple China-aligned clusters share the Showboat and JMFBackdoor tooling and certificate-generation patterns across distinct victim sets.
- Fix
- Block dead-drop dependencies by restricting Pastebin and similar code-paste domains at egress. Hunt for fltMC.exe sideloaded with non-Microsoft FLTLIB.dll. Apply Lumen Black Lotus Labs and PwC IoCs.