appliedbits
FIELD NOTES PUBLISHED
PUBLISHED 2026-05-24

Calypso espionage campaign targets telecom carriers with new implants

BleepingComputer  ·  Bill Toulas  ·  May 21, 2026  ·  source ↗

Researchers at Lumen’s Black Lotus Labs and PwC Threat Intelligence have detailed a Chinese cyber-espionage campaign hitting telecom providers with two new implants — a Linux post-exploitation framework dubbed Showboat and a Windows backdoor called JFMBackdoor. The activity, attributed to the Calypso group (also tracked as Red Lamassu), has run since at least mid-2022 across Asia-Pacific and parts of the Middle East, using telecom-themed lookalike domains to impersonate its targets.

This is adjacent territory — network compromise rather than caller-ID fraud — but it matters for the same reason CPNI does: when carriers themselves are the target, the network that authenticates and routes calls is the thing being compromised. Showboat is built for long-term persistence and SOCKS5 pivoting; the researchers note the tooling appears shared across multiple China-aligned groups hitting different regions from a common malware ecosystem.

It belongs to the broader pattern of state actors treating telecom networks as collection infrastructure. Every trust assumption in carrier signaling rests on the carrier not being owned — and that assumption keeps getting tested.

Tagstelecom-securitycpniespionage