Chinese hackers target telcos with new Linux, Windows malware

Chinese-linked hackers have launched a sophisticated espionage campaign against global telecommunications providers using two newly identified malware families. Security researchers identified the threats as Showboat, a Linux-based backdoor, and JFMBackdoor, which targets Windows systems.

The campaign reflects a deliberate strategy to compromise critical telecom infrastructure across multiple operating systems. Attackers deployed Showboat on Linux servers commonly used in telecom environments, while JFMBackdoor infected Windows machines within the same organizations. Both malware variants function as remote access tools, granting threat actors persistent control over compromised systems.

Telcos represent high-value targets for state-sponsored Chinese groups seeking intelligence on communications infrastructure, call metadata, and network topology. Compromising these networks enables broad surveillance capabilities and access to sensitive government and corporate communications.

Showboat establishes backdoor access through command-and-control communication channels, allowing attackers to execute arbitrary commands and exfiltrate data. JFMBackdoor operates similarly on Windows platforms, offering post-exploitation capabilities for lateral movement within telecom networks.

The malware families demonstrate technical sophistication consistent with Chinese advanced persistent threat (APT) groups. Both tools employ obfuscation techniques and anti-forensic measures to evade detection and complicate incident response efforts.

Telecommunications companies face elevated risk from this campaign. Compromised infrastructure can facilitate mass surveillance, enable access to sensitive business operations, and compromise customer data at scale. Organizations without robust endpoint detection systems may remain unaware of active infections.

Security researchers recommend telecom providers implement network segmentation to isolate critical systems, deploy behavioral threat detection capable of identifying command-and-control traffic, and conduct forensic analysis of Linux and Windows systems for indicators of compromise related to Showboat and JFMBackdoor. Organizations should prioritize monitoring for unusual outbound connections from servers and implement strict access controls on