Showboat, also known as Calypso, is a modular Linux implant (kworker) and post-exploitation framework designed for long-term persistence, information collection, data exfiltration, file transfer, and process hiding, with the capability to reboot-resist through persistence mechanisms and to function as a SOCKS5 proxy for internal network pivoting.

Calypso (Red Lamassu), a Chinese threat group, has been active since mid-2022 targeting telecommunications providers in Asia-Pacific and parts of the Middle East, deploying Showboat (Linux) and JFMBackdoor (Windows) malware.

The operation introduced two new malware families, Showboat for Linux and JFMBackdoor for Windows, signaling a dual-platform espionage campaign.

Experts believe the shared ecosystem enables actors to operate in parallel across victims without building entirely new platforms.

JFMBackdoor includes encryption and antiforensic techniques, with capabilities for self-deletion and trace erasure to hinder investigations.

A notable Showboat feature is its reveal-and-hide capability: it can retrieve code from public dead drops (e.g., Pastebin or forums) to conceal activity and issue covert instructions, and it can use these dead drops to move laterally within compromised networks.

Researchers from Lumen’s Black Lotus Labs and PwC Threat Intelligence attribute a shared malware ecosystem to China-aligned groups, aiding attribution and analysis.

Attackers use thematically related telecom domains to impersonate victim organizations, bolstering trust and enabling prolonged infiltration.

The operation appears to be a partially decentralized model with multiple clusters sharing similar tooling and certificate-generation patterns, suggesting tooling is reused across China-aligned groups targeting different regions.

JFMBackdoor enables advanced Windows espionage via a batch-script to DLL side-loading chain, offering remote command execution, file management, network mediation, service and process control, registry modification, and screenshot capture.

Showboat can function as a SOCKS5 proxy with port forwarding to facilitate lateral movement within target networks.

The infrastructure analysis points to a decentralized ecosystem where multiple China-aligned groups share tools, certificates, and architectures and may exchange capabilities across regions.