Ethical Hacking News
Chinese hackers have been targeting telecommunications providers across the Asia Pacific region with new Linux and Windows malware dubbed Showboat and JFMBackdoor, respectively. The attackers, attributed to the Calypso threat group, used multiple telecom-themed domains to impersonate their targets and gain their trust. These malicious operations provide the attackers with a high degree of control over compromised systems, making it challenging for security software to detect and remove. Organizations must take immediate action to protect themselves against these types of attacks.
Chinese hackers have been involved in a recent cyber-espionage campaign targeting telecommunications providers in the Asia Pacific region. The attack, attributed to the Calypso threat group (Red Lamassu), used multiple telecom-themed domains to impersonate targets and gain trust. A Linux implant called Showboat/kworker was used, providing long-term persistence on compromised systems and allowing hackers to move laterally across networks. Showboat can hide from detection by using a "dead drop" strategy, making it challenging for security software to detect and remove. A Windows-based malware called JFMBackdoor was also used, providing a high degree of control over the compromised system. The use of shared tooling across multiple China-aligned threat groups highlights the need for organizations to be vigilant and take proactive measures to protect themselves against these types of attacks.
Chinese hackers have been making headlines recently for their latest cyber-espionage campaign, which has targeted telecommunications providers across the Asia Pacific region. According to a report by Lumen's Black Lotus Labs and PwC Threat Intelligence, the attack was attributed to the Calypso threat group, also known as Red Lamassu.
The operation, which has been active since at least mid-2022, utilized multiple telecom-themed domains to impersonate their targets. This tactic allowed the hackers to gain the trust of their victims and increase their chances of success. The attackers set up these fake domains to appear legitimate, making it difficult for their targets to distinguish between genuine and malicious communications.
The Linux implant used in these attacks, dubbed Showboat/kworker, is a modular post-exploitation framework designed to provide long-term persistence on compromised systems. Once deployed, the malware starts collecting information about the host system and sends it to a command-and-control (C2) server. This allows the hackers to establish a foothold on the system and move laterally to other areas of the network.
One notable feature of Showboat is its ability to hide from detection by using a "dead drop" strategy. The malware can retrieve code stored on external websites, such as Pastebin or online forums, which are used to conceal the process on the host machine. This makes it challenging for security software to detect and remove the malware.
In addition to Showboat, the attackers also used a Windows-based malware called JFMBackdoor. This malware is a full-featured Windows espionage implant that provides a range of capabilities, including reverse shell access, file management, TCP proxying, process service management, registry manipulation, screenshot capture, and encrypted configuration management.
The JFMBackdoor malware is designed to provide the hackers with a high degree of control over the compromised system. It allows them to execute remote commands on the infected machine, upload and download files, modify Windows registry keys and values, take screenshots of the victim's desktop, and store malware settings in encrypted configurations. The malware also has anti-forensics capabilities that make it difficult for security software to detect and remove.
The infrastructure analysis suggests that the hackers follow a partially decentralized operational model, where multiple clusters share similar certificate-generation patterns and tooling but target distinct victim sets. This means that different threat groups may use the same malware ecosystem but target different regions or organizations.
Lumen concludes that the tooling is likely shared across multiple China-aligned threat groups, each targeting different regions and using the same malware ecosystem. This highlights the need for organizations to be vigilant and take proactive measures to protect themselves against these types of attacks.
In conclusion, the latest cyber-espionage campaign by Chinese hackers has targeted telecommunications providers across the Asia Pacific region. The use of Showboat and JFMBackdoor malware provides the attackers with a high degree of control over the compromised system, making it challenging for security software to detect and remove. Organizations must take immediate action to protect themselves against these types of attacks and ensure that their systems are not compromised by this malicious activity.
Related Information:
https://www.ethicalhackingnews.com/articles/Chinese-Hackers-Latest-Assault-Showboat-and-JFMBackdoor-Malware-Target-Telcos-Across-Asia-Pacific-ehn.shtml
https://www.bleepingcomputer.com/news/security/chinese-hackers-target-telcos-with-new-linux-windows-malware/
Published: Thu May 21 09:35:40 2026 by llama3.2 3B Q4_K_M
