China-Based Red Lamassu Targets Telecoms Across Asia

Security researchers recently uncovered a sophisticated cyber espionage campaign hitting infrastructure networks in Asia. Specifically, a new report details how the Red Lamassu threat actor targets critical telecommunications providers. PwC Threat Intelligence has been monitoring this cluster since 2019. Also known as Calypso APT, the group steals intelligence for long-term strategic advantage. Consequently, network administrators must reinforce their digital borders against these persistent intrusions.

Uncovering the Open Directory

To begin with, investigators discovered the malicious activity through a misconfigured server. The team located an open storage area hosting active payloads. According to the report, “Our analysis revolves around an open directory found during our hunting of Red Lamassu, containing both an aforementioned kworker sample, alongside a fully featured Windows backdoor, which we call JFMBackdoor.” Furthermore, this directory contained both Windows and Linux variants. The Linux component overlaps with research from Lumen’s Black Lotus Labs. However, PwC experts focused primarily on the Windows implants.

Exploring JFMBackdoor Capabilities

The newly exposed Windows implant provides extensive command options for remote operators. Attackers typically deliver this payload using clever DLL side-loading methods. Once active, the malware executes commands silently. In addition, the malicious toolkit possesses multiple stealth modules. The official report notes that “JFMBackdoor supports a range of capabilities, including: remote shell access, file system operations, network proxying, screenshot capture, and self-removal capabilities.” Therefore, the intruders can navigate infected internal networks without raising alarms.

Tracking the Afghan Telecom Intrusion

Furthermore, forensic evidence explicitly ties recent operations to a compromise in Afghanistan. The threat group targeted a domestic telecommunications provider to monitor internal communications. During the investigation, analysts spotted a specific file named FLTBIN.dll. A local user unexpectedly uploaded this file to a public multi-antivirus scanner. Similarly, investigators found anomalous digital certificates on a localized internet protocol address. This specific location hosted a certificate associated with a core Afghan telecom domain controller.

Mitigating the Strategic Threat

Ultimately, the Red Lamassu threat actor presents a continuous threat to regional communication hubs. The group likely operates out of the Sichuan Province in China. Currently, their primary targets remain focused on Kazakhstan, Afghanistan, and India. Organizations inside these regions must maintain strict access logs to detect side-loading anomalies. By implementing robust endpoint tracking, enterprises can successfully disrupt these long-term intelligence collection efforts.