Chinese APTs share Linux backdoor in Central Asia telco attacks
For years now, Chinese state-aligned hackers have been spying on telecommunications companies in Central Asia and beyond, using a newly discovered Linux post-exploitation framework.
The malware is called “Showboat,” or “kworker.” Black Lotus Labs observed different clusters of Showboat activity against totally dissimilar targets — from an Internet service provider (ISP) in Afghanistan to an unknown IP in the disputed Donbas region of eastern Ukraine — suggesting that Chinese advanced persistent threats (APTs) are trading it around.
At least one of those APTs is Calypso, according to PricewaterhouseCoopers (PwC). First observed in 2019, Calypso is one of China’s lesser-discussed espionage groups, perhaps because its activity occurs in countries where Western cybersecurity companies have less visibility on average: Afghanistan, Kazakhstan, Turkey, and India, for example. Calypso uses Showboat alongside a Windows backdoor of roughly similar sophistication, called “JFMBackdoor.”
Read more at Dark Reading