Calypso/Red Lamassu (Bronze Medley): Showboat (Linux) + JFMBackdoor (Windows) telco espionage campaign

Lumen's Black Lotus Labs and PwC Threat Intelligence disclosed on 2026-05-21 two purpose-built implants used by the China-aligned espionage cluster Calypso (also tracked as Red Lamassu, Bronze Medley — active since at least mid-2022 based on binary upload and victim telemetry) in a multi-year campaign against telecommunications providers (Lumen Black Lotus Labs, 2026-05-21 · PwC Threat Intelligence, 2026-05-21). Confirmed victims include a Middle East ISP, an Afghanistan ISP, and entities in Azerbaijan, the US, and Ukraine; European telecoms are within the actor's documented targeting pattern. Showboat is a modular ELF binary masquerading as a Linux kernel worker thread (kworker — T1036.005 Masquerade: Match Legitimate Name) providing remote shell (T1059.004), bidirectional file transfer, SOCKS5 proxy to internal network segments (T1090.001 Internal Proxy), and a hide command that fetches a rootkit payload from Pastebin at runtime (T1102.001 Dead Drop Resolver) — the C2 payload is exfiltrated base64-encoded inside PNG image fields to blend with web traffic (Lumen Black Lotus Labs, 2026-05-21). JFMBackdoor, the Windows counterpart, is delivered via DLL sideloading (T1574.002): a batch script drops a legitimate signed executable that loads the malicious DLL, providing remote shell, file operations, SOCKS5 proxy, and self-removal (PwC Threat Intelligence, 2026-05-21). C2 infrastructure clusters to Chengdu, Sichuan-geolocated IP ranges; X.509 certificate SAN/CN patterns link the victim set (Lumen Black Lotus Labs, 2026-05-21). Detection: hunt for kworker ELF processes whose parent is not kthreadd (PID 2) on Linux telecom servers (auditd EXECVE or Sysmon for Linux EID 1 parent-pid check); alert on unsigned DLLs loaded by vendor-signed executables (Sysmon EID 7: signed process, unsigned module); flag egress DNS queries or HTTP GET to pastebin.com from daemon-context processes.