How the Calypso (Red Lamassu) Cyber‑Espionage Campaign Targeted Telecom Networks

Researchers identified two previously undocumented malware families central to the campaign:

• Showboat, a Linux‑based post‑exploitation framework
• JFMBackdoor, a Windows implant used for similar purposes

Together, these tools enabled attackers to operate inside mixed operating‑system environments commonly found in telecom infrastructure.

Showboat: A Linux Post‑Exploitation Framework

Showboat is designed for Linux systems and functions as a modular post‑compromise toolkit used after initial access has already been obtained. According to threat intelligence analysis, the malware provides several capabilities that help attackers control infected machines and pivot deeper into networks.

Key functions associated with Showboat include:

• Launching remote shell access to compromised systems
• Transferring files between attacker infrastructure and victim machines
• Acting as a SOCKS5 proxy, allowing attackers to route traffic through infected systems

These features allow attackers to use compromised servers as relay points, helping conceal their activity and move laterally inside telecom networks.

JFMBackdoor: The Windows Counterpart

While Showboat targets Linux systems, the campaign also uses JFMBackdoor, a Windows‑based implant designed to operate in parallel with the Linux toolset.

In telecom environments—where infrastructure often combines Linux servers with Windows administrative systems—this dual‑platform approach allows attackers to maintain access even if one system type is detected or remediated. The Windows implant helps sustain persistence and supports additional espionage activity across enterprise portions of telecom networks.

Public reporting has confirmed the malware’s use in the campaign, though detailed technical analysis of JFMBackdoor’s internal functionality remains limited in available evidence.

Telecom‑Themed Domains and Impersonation Infrastructure

The attackers also built and operated telecom‑themed domains and supporting infrastructure that mimicked legitimate telecommunications entities.

Researchers believe these domains served several operational purposes:

• Helping attackers appear relevant or legitimate within telecom environments
• Supporting command‑and‑control communications with compromised systems
• Facilitating further intrusion or credential harvesting operations

While the full mapping of spoofed domains to individual victims has not been publicly disclosed, the infrastructure suggests a deliberate attempt to embed malicious activity within the broader telecom ecosystem.

Why Cross‑Platform Malware Makes Telecom Intrusions Harder to Detect

Telecommunications providers typically operate mixed infrastructure, including Linux servers running network services and Windows systems supporting enterprise operations. Malware that targets both platforms therefore provides attackers with greater flexibility.

By deploying separate implants for Linux and Windows, the Calypso operators gain several advantages:

• Greater persistence: removing malware from one platform does not eliminate the attacker’s access to the network
• Broader lateral movement: attackers can pivot between operational and administrative systems
• Stealthier operations: compromised machines can act as proxies or relay nodes for hidden communications

This cross‑platform approach allows attackers to maintain long‑term espionage positions within critical communications infrastructure, increasing the potential exposure of sensitive telecom data and network intelligence.

A Growing Risk for Global Telecom Infrastructure

The Calypso campaign highlights a broader trend in cyber‑espionage targeting telecommunications networks. Nation‑state‑linked actors increasingly deploy specialized malware tailored to telecom environments, aiming to maintain stealthy access rather than launch immediate disruptive attacks.

Long‑term infiltration of telecom networks can provide visibility into communications metadata, network architecture, and sensitive operational systems. For governments and intelligence agencies, that access can yield valuable strategic intelligence.

The discovery of Showboat and JFMBackdoor illustrates how attackers are evolving their toolkits to operate across multiple operating systems and infrastructure layers—making these campaigns more resilient and harder for defenders to eradicate.