Skip to main content
HashnodeFPT IS SecurityFPT IS Security

Command Palette

Search for a command to run...

Open Directory, Open Season: Inside Red Lamassu's JFMBackdoor

Updated
13 min read
Open Directory, Open Season: Inside Red Lamassu's JFMBackdoor
V
Vũ Nhật Lâm
Part of seriesNewsletters-eng

Executive Summary

A misconfigured open directory did what years of stealth could not: it handed threat hunters the full toolkit of Red Lamassu (also tracked as Calypso and Bronze Medley), a China-nexus espionage group that PwC has followed since 2019. On 21 May 2026, PwC Threat Intelligence and Lumen's Black Lotus Labs published coordinated research — PwC on the Windows side, Lumen on the Linux side — exposing a paired implant set: a fully featured Windows backdoor named JFMBackdoor, and a Linux post-exploitation framework called Showboat (PwC's kworker; Kaspersky's EvaRAT).

For a telecom or critical-infrastructure operator the business risk is not a single intrusion but long-dwell espionage: Red Lamassu's objective is a persistent foothold for years of intelligence collection, and its tooling turns a compromised carrier into a launch pad into deeper, internal networks. Confirmed targeting clusters around telecommunications and government entities in Kazakhstan, Afghanistan, and India, with related activity reported across the wider Asia-Pacific.

The single most important action: hunt for anomalous DLL side-loading from %TEMP% and for the host artifact C:\Users\public\jfm — both are reliable fingerprints of this intrusion chain.

Discovery & Timeline

Red Lamassu's operational security slipped between July and October 2025, when PwC observed an open directory hosted on 23.27.201[.]160. Most of the files in it were links in a single connected infection chain; two outliers — clear (a Linux log-tampering utility) and systemd-ac-update (a Showboat/ kworker sample) — pointed straight at the group's cross-platform operations.

Date Event
2019 PwC begins tracking Red Lamassu / Calypso [NEEDS VERIFICATION: other trackers date the group to September 2016 — see References]
Jul–Oct 2025 Open directory active on 23.27.201[.]160
21 May 2026 Coordinated disclosure — PwC (JFMBackdoor / Windows) + Lumen Black Lotus Labs (Showboat / Linux)

The C2 infrastructure has a much longer tail. A TLS certificate tied to the C2 domain newsprojects[.]online was observed across multiple hosts stretching back to 2023, indicating the campaign infrastructure predates the leaked directory by years.

Threat Actor Profile — Red Lamassu (Calypso)

Red Lamassu is a China-based actor that PwC assesses as likely operating out of Sichuan Province (other reporting ties the C2 infrastructure to Chengdu, the provincial capital). The group leans on a mix of bespoke and shared tooling to establish and keep a long-term foothold for intelligence collection.

A few characteristics make it stand out for defenders:

  • Quiet geography. Its targeting concentrates on regions where Western security vendors have thinner visibility — Afghanistan, Kazakhstan, India, with related reporting naming Thailand and Turkey — which is part of why the group stayed lightly documented for years.
  • Shared "quartermaster" tooling. Red Lamassu has historically used PlugX, a family widely shared across China-nexus groups, and Showboat sits in the same shared ecosystem alongside frameworks like ShadowPad. That resource pooling is a recurring signature of China-nexus operations and complicates clean attribution.
  • Cross-platform. The pairing of a Windows backdoor (JFMBackdoor) with a Linux framework (Showboat) lets the group operate comfortably across the mixed estates typical of telecom environments.

Attack Flow — DLL Side-Loading Chain

The Windows chain is a textbook DLL side-loading sequence built around a legitimate signed binary. PwC notes one quirk: the dropper 1.bat will not run as-is — but every command inside it works when run individually, suggesting the script is meant to be passed through an obfuscator before deployment.

flowchart TD
    A["1.bat (dropper)<br/>PowerShell -WindowStyle Hidden"] -->|Invoke-WebRequest| B["%TEMP%<br/>flt.bin · FLTLIB.dll · scr.mui · fltMC.exe"]
    B --> C["fltMC.exe<br/>(legitimate signed binary)"]
    C -->|DLL side-loading| D["FLTLIB.dll<br/>(malicious loader)"]
    D -->|XOR decrypt — key Zs0@31=KDw.*7ev| E["scr.mui<br/>(encrypted config)"]
    D -->|load in memory| F["flt.bin<br/>(shellcode stub)"]
    F -->|decode + reflective load| G["JFMBackdoor<br/>(Win32 DLL, in-memory PE)"]
    G -->|TCPSession / WSSession / WSSSession| H["C2: namefuture[.]site"]

Step by step:

  1. 1.bat uses a hidden PowerShell window to pull flt.bin, FLTLIB.dll, scr.mui and fltMC.exe into %TEMP%, then launches fltMC.exe.
  2. fltMC.exe is a legitimate executable that side-loads the attacker's FLTLIB.dll.
  3. FLTLIB.dll opens scr.mui and XOR-decrypts it with the key Zs0@31=KDw.*7ev. The file format is a series of records: four bytes of an XOR-encrypted length, followed by the encrypted blob. The decrypted config is shared by both FLTLIB.dll and the final payload.
  4. FLTLIB.dll then loads flt.bin — a shellcode stub — into memory and executes it.
  5. flt.bin decodes and reflectively loads the final embedded PE: a ~1.12 MB Win32 DLL that is JFMBackdoor itself. Decrypted scr.mui configuration revealed hardcoded paths and a C2 domain in two observed sample sets:
# Sample set 1
flt.bin · FLTLIB.dll · fltMC.exe
C:\Program Files (x86)\Windows Mail\wabmig.exe
C:\ProgramData\Microsoft\Network
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
namefuture[.]site
 
# Sample set 2 (additional sample)
sl.bin · sllauncherloc.dll
C:\Windows\SysWOW64\msdt.exe
C:\ProgramData\Microsoft\Network
en[.]cumm[.]info · xcent[.]online · cumm[.]info

Inside JFMBackdoor

The backdoor takes its name from a hardcoded path inside the malware, C:\Users\public\jfm. It is built on the CppServer library and drives its operations through the TCPSession, WSSession and WSSSession classes, talking to its C2 at namefuture[.]site.

Capabilities are extensive and map cleanly onto a full-spectrum espionage implant:

Capability Detail
Remote shell Two reverse-shell variants. The second launches suspended, then uses FreeConsole + AttachConsole to detach from the console and evade inspection by other processes.
File system Read/write/copy/move/delete files and folders, recursive directory listing, pattern-based file search, file execution, timestomping (SetFileTime), and attribute modification.
Network proxying Establishes TCP proxy sessions — turning the host into a pivot.
Process & service mgmt Enumerate / create / terminate processes; enumerate / start / stop / delete Windows services.
Network recon Reads TCP/UDP connection tables (GetExtendedTcpTable / GetExtendedUdpTable) and can manipulate TCP entries (SetTcpEntry).
Registry Full CRUD — enumerate, create, modify, rename, delete keys and values.
Screenshot capture Uses GDI+ (gdiplus.dll), then Base64-encodes and XOR-encrypts the image before writing it to disk for exfil.
Self-management Creates/reloads encrypted config and services, and can uninstall itself (registry, services, on-disk file) for anti-forensics.
Config management Stores/reloads encrypted config from scr.mui and btasc.cfg, letting the operator update behavior dynamically.

Selected command codes (highlights)

JFMBackdoor dispatches a command + sub-command structure. Selected entries from PwC's full table (Appendix B in the original report):

Command Sub Action
0xD 0xA Reverse shell via CreatePipe + CreateProcessW
0xAD 0xA Stealth reverse shell — launched suspended, then FreeConsole/AttachConsole to evade inspection
0xE 0x10 Timestomp a file (SetFileTime)
0xF 0x1 Begin TCP proxy session
0x11 Uninstall self (registry, services, terminate, delete from disk)
0x20 0x0 Gather TCP/UDP tables (GetExtendedTcpTable / GetExtendedUdpTable)
0x30 0x0 Create C:\Users\public\jfm folders, write btasc.cfg config
0x41 0x1 Registry write (RegSetKeyValueW)
0xCE 0x2 Screenshot via gdiplus.dll, saved Base64-encoded + XOR-encrypted
0xCF 0x0 Reload configuration from scr.mui
0xF1 0x1 Delete a Windows service (DeleteService)

C2 Infrastructure — How PwC Tied It Together

JFMBackdoor and its companion samples used four C2 domains: namefuture[.]site, cumm[.]info, en[.]cumm[.]info, and xcent[.]online, all fronted by Cloudflare. PwC pivoted off TLS certificates to peel back the Cloudflare layer and connect the Windows backdoor to the Linux Showboat infrastructure.

flowchart LR
    subgraph JFM["JFMBackdoor (Windows)"]
        D1["namefuture[.]site"]
    end
    subgraph KW["Showboat / kworker (Linux)"]
        D2["newsprojects[.]online"]
    end
    D1 -->|Cloudflare Origin cert| IP1["166.88.11[.]196"]
    D1 -->|DNS| IP2["139.180.223[.]193"]
    IP1 -->|same cert serves| D2
    IP2 -->|same cert serves| D2
    D2 -->|DNS| IP3["64.227.128[.]21"]
    D2 -->|DNS| IP4["23.27.201[.]115"]
    IP4 -->|also resolves| D3["xcent[.]online"]
    OMO["Cert O=My Organization<br/>fp 27df4756...0c677"] -->|hosted on| IP5["195.86.120[.]2"]
    IP5 -->|alongside| AFG["Afghan gov cert +<br/>Afghan telco DC cert"]

Two pivots did the heavy lifting:

  • The Cloudflare Origin certificate for namefuture[.]site was served by 166.88.11[.]196 (with an additional DNS resolution to 139.180.223[.]193). Those same IPs also served a Cloudflare certificate for newsprojects[.]online — the C2 of an observed kworker/Showboat sample — directly linking the Windows and Linux sides.
  • A self-signed certificate with subject O=My Organization (fingerprint 27df4756...0c677) was hosted on 195.86.120[.]2, an IP that also hosted a legitimate certificate for an Afghan government entity and a certificate associated with a domain controller belonging to an Afghan telecommunications provider — a strong targeting signal, reinforced by FLTLIB.dll being uploaded to a multi-AV scanner from a submitter in Afghanistan.

IOCs

Authoritative IOCs are published by PwC on GitHub (see References). The list below is reproduced for convenience.

# === SHA-256 — open directory (23.27.201[.]160) ===
systemd-ac-update  a05fbe8734a5a5a994a44dee9d21134ad7108d24ab0749499fe24fc4b36c4cbc
FLTLIB.dll         047307aca3a94a6fc46c4af25580945defb15574fb236d13d2bb48037cc42208
clear              ac50887e2c513b50b2170d77441b9f7e8afcc774df6b54fdd8aac863095239f4
1.bat              a23d126f0446755859e4d81c0c9b50b65e0062c3de2a014c543f6b263321ad78
scr.mui            ea57b5768c84164fcdb25bb8338d660c5586e17e37cee924c4e5a745510925f3
fltMC.exe          cbef2064cf49b4b27dbf7d0c88c8f7bcdd6a7f25ee9c087beacb48cdd1b78731
flt.bin            b77a233735ff237ab964d2bdb3f6d261a90efb2f86dcde458c419cee528686a9
 
# === SHA-256 — JFMBackdoor payload (in-memory PE) ===
JFMBackdoor        176aec5d33c459a42e7e4e984a718c52e11213ef9a6aa961b483a836fc22b507
 
# === SHA-256 — additional samples sharing XOR key Zs0@31=KDw.*7ev ===
CiWinCng32.dll     b118f74dc2b974678a50349d04686f6b2df4b287a69e40c4513cd603c7271793   (KZ)
scr.mui            1003bc9e3650fd290e44fd79b270c1b29f572fbb7647fa2bbf1f600d53673b53   (CN)
sllauncherloc.dll  f820e4e4c5d433714842f6d64d1a8773958f782cde8d27f6a54d4f9862598933   (CN)
 
# === Network — C2 domains ===
namefuture[.]site
cumm[.]info
en[.]cumm[.]info
xcent[.]online
newsprojects[.]online      (kworker/Showboat C2)
 
# === Network — IPs ===
23.27.201[.]160     (open directory)
23.27.201[.]115     (resolves xcent[.]online)
166.88.11[.]196
139.180.223[.]193
64.227.128[.]21
166.88.99[.]32
66.42.49[.]27
45.76.157[.]243
207.90.205[.]55
193.124.93[.]153
152.32.159[.]11
195.86.120[.]2      (O=My Organization cert host)
 
# === Host-based ===
Folder    C:\Users\public\jfm   (and \ProgramData, \UnistoreDB subfolders)
File      btasc.cfg             (encrypted config)
File      scr.mui               (encrypted config)
Pattern   fltMC.exe + FLTLIB.dll executed from %TEMP%
 
# === Crypto ===
XOR key   Zs0@31=KDw.*7ev       (scr.mui / config decryption)
 
# === TLS certificate fingerprints ===
27df475626aafce2ea1548a9f35efb9ad951298c8b11a6adb3ccdfcd5170c677   (O=My Organization)
5e86298e3a62404ee4b019246d8da7a7451ba8f9c1f956c32ea4a0ff4e43f553   (namefuture[.]site, Cloudflare)
8b0e14e0684e00aee9cbf4fd22b2a5da08443f9a0f9ace4972803e29050bcc69   (newsprojects[.]online, Cloudflare)

MITRE ATT&CK Mapping

Analyst mapping derived from PwC's technical description; this is our mapping, not an official PwC Navigator layer.

Tactic Technique ID Evidence
Execution PowerShell T1059.001 1.bat runs hidden PowerShell
Execution Windows Command Shell T1059.003 Reverse shell via cmd
Execution Service Execution T1569.002 sc start, service launch
Command & Control Ingress Tool Transfer T1105 Invoke-WebRequest pulls payloads
Defense Evasion DLL Side-Loading T1574.002 fltMC.exe side-loads FLTLIB.dll
Defense Evasion Deobfuscate/Decode Files T1140 XOR-decrypt scr.mui
Defense Evasion Reflective Code Loading T1620 flt.bin loads PE in memory
Defense Evasion Obfuscated Files or Information T1027 XOR config, Base64+XOR screenshots
Defense Evasion Indicator Removal: Timestomp T1070.006 SetFileTime
Defense Evasion Indicator Removal: File Deletion T1070.004 Self-uninstall from disk
Defense Evasion Modify Registry T1112 Registry CRUD
Defense Evasion Hide Artifacts T1564 Detached-console reverse shell
Discovery Process Discovery T1057 Process enumeration
Discovery System Service Discovery T1007 Service enumeration
Discovery System Network Connections Discovery T1049 TCP/UDP tables
Collection Screen Capture T1113 GDI+ screenshot
Command & Control Proxy T1090 TCP proxy session
Command & Control Web Protocols T1071.001 WS/WSS C2 sessions

The Bigger Picture — JFMBackdoor vs BPFdoor

JFMBackdoor is best understood as one piece of a broader China-nexus push into global telecoms. The contrast with BPFdoor — the kernel-resident Linux implant that Rapid7 attributes to a different group, Red Menshen — is instructive.

JFMBackdoor (and its Showboat companion) is capable but, in Black Lotus Labs' assessment, unexceptional: a full-featured backdoor whose strongest trick on the Linux side is the ability to scan and infect LAN-internal devices that aren't exposed to the public internet. BPFdoor, by contrast, is a living-off-the-land specialist that lay dormant in the Linux kernel inspecting traffic for a magic packet — and since around November 2025 was upgraded to look for its trigger only inside HTTPS requests. As Rapid7's Christiaan Beek framed it, the operators are effectively turning defenders' own firewalls into a delivery channel.

The common thread is what should worry telecom and finance defenders most: multi-year dwell times, shared tooling across groups, and a deliberate focus on regions and providers with limited monitoring maturity. Different malware, same playbook.

Expert Opinion

The detail that matters operationally here is not JFMBackdoor's feature list — plenty of backdoors do reverse shells and screenshots — but how it gets in. A signed, legitimate fltMC.exe side-loading a malicious FLTLIB.dll from %TEMP% defeats naive signature-based and allow-by-publisher controls, because the process that executes is genuinely Microsoft-signed. This is precisely the class of activity that passive, signature-driven monitoring misses and that behavioral threat hunting catches: the anomaly isn't the binary, it's the pairing — a system utility loading a DLL from a user-writable temp path, then spawning network sessions to a Cloudflare-fronted domain.

For SOC teams in Vietnam, the relevance is direct rather than abstract. Red Lamassu's confirmed targeting already spans Southeast Asia (Thailand) and South Asia (India), and telecom and financial-sector enterprises here run exactly the mixed Windows/Linux estates this actor is built to operate across. The C2 being hidden behind Cloudflare is the practical sting: if your egress monitoring only flags "known-bad" IPs, this traffic looks like ordinary HTTPS to a CDN. Detection has to move up the stack — to certificate analysis, JA3/JA4 fingerprinting, and beaconing behavior — not stay at the IP-reputation layer.

The strategic read: this is patient, regional, infrastructure-focused espionage, not smash-and-grab. The right defensive posture is proactive hunting and assuming long dwell, not waiting for an alert to fire.

Recommendations

Immediate (0–24h)

  • Hunt for the host artifact C:\Users\public\jfm (and \ProgramData, \UnistoreDB subfolders) and the config files btasc.cfg / scr.mui.

  • Hunt for fltMC.exe and FLTLIB.dll executing from %TEMP% or any user-writable path — example KQL starting point:

    DeviceProcessEvents
| where FileName =~ "fltMC.exe"
| where FolderPath has_any ("\\Temp\\", "\\AppData\\")
| join kind=inner (
    DeviceImageLoadEvents
    | where FileName =~ "FLTLIB.dll"
) on DeviceId

  • Block/alert on the C2 domains and IPs in the IOC list at egress and DNS. Short-term (1–7 days)

  • Deploy detections for DLL side-loading patterns generally — a legitimate signed binary loading a DLL from a non-standard, user-writable directory — not just these specific filenames.

  • Add certificate-based hunting: the O=My Organization self-signed cert fingerprint, and beaconing to Cloudflare-fronted domains with low corporate history. Layer in JA3/JA4 where available.

  • Sweep for timestomping (SetFileTime anomalies) and for in-memory reflectively-loaded PEs on telecom-facing and high-value hosts. Long-term

  • Shift from passive, signature-based monitoring toward proactive threat hunting, assuming multi-year dwell for this class of actor.

  • Treat outbound HTTPS to CDN-fronted infrastructure as a first-class detection surface (beacon analysis, cert intelligence), not a trusted lane.

  • For telecom/critical-infrastructure operators, segment and monitor internal, non-internet-facing LAN segments — the Linux companion's LAN scan-and-infect capability specifically targets the network behind the perimeter.

References

  1. PwC — Inside Red Lamassu's JFMBackdoor
  2. PwC — IOCs (GitHub)
  3. Lumen Black Lotus Labs — Introducing Showboat
  4. Dark Reading — Chinese APTs Share Linux Backdoor in Telco Attacks
  5. Dark Reading — China Upgrades the Backdoor (BPFdoor / Red Menshen — comparison)
  6. The Hacker News — Showboat Linux Malware Hits Middle East Telecom
#threat-intelligence#apt#calypso#red-lamassu#jfmbackdoor#showboat#china-nexus#telecom#dll-sideloading#dfir#mitre-attack

Comments

Join the discussion

No comments yet. Be the first to comment.

Newsletters-eng

Part 3 of 50
Up next

When ChatGPT Becomes a Phishing Tool: The Story Behind the ChatGPhish Vulnerability

Overview of the campaign For many years, phishing has primarily appeared as fake emails, SMS messages, or fraudulent websites. Organizations have invested significantly in Secure Email Gateway (SEG),

More from this blog

F

FPT IS Security

824 posts

Dedicated to providing insightful articles on cybersecurity threat intelligence, aimed at empowering individuals and organizations to navigate the digital landscape safely.