Meta News

Chinese hackers target telcos with new Linux, Windows malware

Summary: A Chinese cyber-espionage campaign targeting telecommunications providers with new Linux and Windows malware, Showboat and JFMBackdoor respectively, has been active since mid-2022. The threat group, Calypso (Red Lamassu), uses sophisticated tools to gather intelligence and establish long-term persistence.

Chinese Hackers Target Telecom Providers With New Linux and Windows Malware

Cybersecurity researchers are warning about a new wave of attacks linked to Chinese threat actors targeting telecommunications companies with previously unseen malware designed for both Linux and Windows systems. The campaign reflects the growing sophistication of cyber-espionage operations aimed at critical communications infrastructure, an area increasingly viewed as strategically valuable for intelligence gathering and long-term access.

According to investigators, the attackers are deploying a combination of custom implants, stealthy backdoors, and remote administration tools capable of operating across multiple operating systems. By targeting both Windows workstations and Linux-based backend infrastructure, the operation demonstrates a clear focus on achieving deep and persistent access throughout telecom environments rather than compromising isolated devices.

Telecommunications providers have become high-value targets for state-linked cyber groups because of the enormous amount of sensitive data flowing through their networks. Access to telecom infrastructure can potentially provide intelligence on communications metadata, internal corporate activity, customer information, and even broader national infrastructure. Security analysts note that modern telecom environments also serve as gateways into government agencies, enterprise clients, and critical services connected to their networks.

Researchers say the malware used in the campaign was specifically engineered to remain difficult to detect. The Linux components reportedly focus on persistence and remote command execution, while the Windows payloads support credential theft, surveillance, and lateral movement inside compromised networks. This cross-platform approach allows attackers to maintain operational flexibility even if defenders detect or isolate part of the intrusion.

The campaign highlights how Linux systems are becoming increasingly central in advanced cyber operations. Traditionally, many enterprise security programs prioritized Windows-focused defenses because desktop environments were historically the most common attack vector. However, attackers are now heavily investing in Linux malware development due to the widespread use of Linux in servers, telecom infrastructure, virtualization platforms, and cloud environments.

Security experts believe the operation aligns with broader cyber-espionage objectives frequently associated with advanced persistent threat groups operating in support of strategic intelligence collection. While attribution in cyber operations is always complex, researchers point to tactics, infrastructure patterns, and targeting behavior consistent with previously observed Chinese state-linked campaigns.

One particularly concerning aspect of the attacks is the emphasis on long-term persistence. Rather than causing immediate disruption, the attackers appear focused on maintaining hidden access over extended periods. This strategy enables continuous surveillance, intelligence collection, and potential future operations without immediately alerting victims.

The disclosure arrives amid increasing geopolitical tensions surrounding telecommunications security, 5G infrastructure, and global cyber-espionage concerns. Governments worldwide have repeatedly warned that telecom networks represent one of the most critical sectors requiring enhanced cybersecurity protections due to their role in national communications and digital infrastructure.

Cybersecurity teams are being urged to strengthen monitoring across both Windows and Linux environments, review authentication activity carefully, and investigate unusual network traffic patterns. Experts also recommend implementing stricter segmentation between internal systems, limiting privileged access, and ensuring rapid patch management across internet-facing infrastructure.

The campaign serves as another reminder that modern cyber threats are no longer confined to a single operating system or platform. Advanced threat actors increasingly operate across entire enterprise ecosystems, adapting malware and techniques to whichever environment offers the best opportunity for stealth, persistence, and intelligence collection.

Key facts

  • Chinese hackers targeting telcos with new malware Showboat and JFMBackdoor since mid-2022.
  • Showboat is a Linux post-exploitation framework for long-term persistence, acting as a SOCKS5 proxy.
  • JFMBackdoor provides full espionage capabilities including reverse shell access and encrypted configuration management.

Why it matters

The use of sophisticated malware by Chinese threat actors to target telecommunications providers has significant implications for network security and data integrity in the Asia Pacific and Middle East. The ability to establish long-term persistence and pivot within networks poses a serious risk to sensitive information.

X profile@BleepinComputerhttps://twitter.com/BleepinComputer
Embedded content for: Chinese hackers target telcos with new Linux, Windows malware
Tags:
cyber-espionage malware telecommunications red-lamassu calypso

Structured details

  • Industry: cybersecurity
  • Source type: media
  • Claim status: confirmed
  • Verification: claimed_by_source
  • Entities: Calypso (Red Lamassu), Lumen's Black Lotus Labs, PwC Threat Intelligence

Source: https://www.bleepingcomputer.com/news/security/chinese-hackers-target-telcos-with-new-linux-windows-malware/

Published on