Recent paired research from Lumen Black Lotus Labs and PwC is a useful reminder that telecom intrusions are rarely about a single malware sample. The reporting connects a China-linked activity set tracked by PwC as Red Lamassu, also known publicly as Calypso, to tooling built for long-term access across both Linux and Windows environments.
Lumen detailed Showboat, a Linux post-exploitation framework seen in activity targeting telecommunications organizations. PwC’s companion report on Red Lamassu and JFMBackdoor expands the picture with a Windows backdoor delivered through DLL side-loading. Taken together, the reports point to an operator focused on persistence, proxying, file movement, screenshots, remote shells, and internal network reach.
What was reported
Lumen describes Showboat as a modular Linux implant used as a foothold inside telecommunications environments. Its capabilities include remote shell access, file transfer, SOCKS5 proxying, port mapping, persistence, process hiding, and C2 switching. Those are not “smash and grab” features; they are designed to keep access alive and help the operator reach systems that are not directly exposed to the internet.
PwC’s report adds a Windows-side view of the same broader activity. Their JFMBackdoor analysis describes a DLL side-loading chain that ultimately loads a full-featured backdoor with remote shell capability, file and registry operations, process and service management, proxying, screenshot capture, and self-removal. PwC ties the activity to telecom and government-adjacent targeting across parts of Asia, with infrastructure and tooling overlaps that align with Red Lamassu operations.
Why this matters for SMBs and government contractors
Most small and mid-sized organizations are not telecommunications carriers, but the tradecraft still matters. Telecom-targeted tooling often becomes a blueprint for intrusion behavior elsewhere: compromise an edge or server foothold, hide on a Linux system, proxy deeper into the LAN, then use Windows tooling to expand access and collect intelligence.
For government contractors, the bigger lesson is that Linux infrastructure cannot be treated as “lower risk” simply because it is not part of the standard Windows endpoint stack. VPN appliances, web servers, identity infrastructure, jump hosts, monitoring systems, and internal Linux utilities can all become pivot points. If those systems are lightly monitored, an attacker can use them as quiet infrastructure inside the business.
Defensive takeaways
- Monitor Linux servers like endpoints. Collect process, service, authentication, outbound connection, and file integrity telemetry from Linux systems that touch production, identity, remote access, or customer environments.
- Look for unexpected proxy behavior. SOCKS, port mapping, unusual outbound connections, and internal-to-internal tunneling deserve attention, especially from servers that should have narrow communication patterns.
- Hunt for DLL side-loading paths. Windows detections should flag unusual DLL loads from writable directories, suspicious parent-child process chains, and legitimate binaries running from temporary or user-writable paths.
- Baseline internet-facing infrastructure. Track certificates, listening ports, exposed admin panels, and externally reachable services. Actor infrastructure in this reporting leaned heavily on reusable network patterns; defenders can apply the same clustering mindset internally.
- Separate admin paths from production traffic. If a compromised Linux host can reach domain controllers, backup systems, file shares, or management interfaces without additional controls, it is not just a server compromise — it is an enterprise compromise path.
- Practice “foothold containment.” Incident response plans should include rapid isolation of Linux servers, credential rotation for service accounts, review of SSH keys, and validation of scheduled jobs, systemd services, and persistence mechanisms.
Bulwark Black assessment
The Showboat and JFMBackdoor reporting is high-signal because it shows the operational stack, not just a malware name. Linux footholds, proxy functions, Windows backdoors, screenshot capture, service manipulation, and anti-forensic cleanup all support the same objective: durable access inside networks where connectivity itself is valuable intelligence.
The practical move for defenders is to treat every server with routing, authentication, or management reach as a monitored endpoint. If your security program only sees Windows laptops and ignores Linux infrastructure, network appliances, and internal jump paths, you are leaving the exact terrain these actors prefer uncovered.
Sources: Lumen Black Lotus Labs on Showboat; PwC Threat Intelligence on Red Lamassu / JFMBackdoor.
