Targeting Telecommunications Infrastructure
A cyber espionage campaign attributed to the threat group known as Calypso or Red Lamassu has been actively targeting telecommunications providers across the Asia Pacific and parts of the Middle East since at least mid-2022. Researchers from Lumen’s Black Lotus Labs and PwC Threat Intelligence identified the operation, which uses a combination of newly discovered Linux and Windows malware. The attackers set up multiple telecom themed domains to impersonate their targets, facilitating their intrusions into provider networks.
New Malware Variants in the Wild
The Linux implant, named Showboat or kworker, is a modular post exploitation framework designed for long term persistence. Once deployed, it collects host information and communicates with a command and control server. A notable feature is a ‘hide’ command that allows the process to conceal itself by retrieving code from external websites like Pastebin. The malware also functions as a SOCKS5 proxy and port forwarding pivot point, enabling the attackers to move laterally across internal networks. On the Windows side, the infection chain begins with a batch script that drops payloads to stage a DLL sideloading procedure, ultimately loading the JMFBackdoor implant. This full featured Windows espionage tool provides capabilities including reverse shell access, file management, TCP proxying, process and service management, registry manipulation, screenshot capture, and self removal with anti forensics features.
Operational Structure and Attribution
Infrastructure analysis reveals that the hackers follow a partially decentralized operational model. Multiple clusters share similar certificate generation patterns and tooling but target distinct sets of victims. Lumen researchers concluded that the tooling is likely shared across several China aligned threat groups, each focusing on different regions while using the same malware ecosystem. This approach complicates attribution and suggests a broader collaborative effort among multiple state sponsored actors.
Source: BleepingComputer
