Calypso

Calypso is a China-linked threat group, also tracked as Red Lamassu, associated with cyber-espionage activity. Reporting in the provided content links Calypso to exploitation of Microsoft Exchange ProxyLogon vulnerabilities in 2021 and to a later campaign targeting telecommunications providers across the Asia Pacific region and parts of the Middle East since at least mid-2022. In the Exchange activity, ESET reported that Calypso compromised email servers of governmental entities in the Middle East and South America, then targeted additional servers belonging to governmental entities and private companies in Africa, Asia, and Europe. The content states Calypso likely had access to the Exchange exploit as a zero-day. ESET also reported Calypso used two web shells and two backdoors and installed Mimikatz tooling to steal credentials. The telecom-focused espionage campaign attributed to Calypso/Red Lamassu used telecom-themed domains to impersonate targets. On Linux, the group deployed Showboat (also referred to as kworker), a modular post-exploitation framework used for persistence, host reconnaissance, file upload/download, process hiding, service creation, SOCKS5 proxying, port forwarding, and retrieving code from external dead-drop sites. On Windows, the group used a batch-script-driven DLL sideloading chain involving fltMC.exe and FLTLIB.dll to load JFMBackdoor, a full-featured espionage implant supporting reverse shell access, file and process management, service control, registry modification, screenshot capture, TCP proxying, encrypted configuration handling, self-removal, and anti-forensics. The content also states that Win.NOODLERAT Type 0x132A was used only by Calypso APT, suggesting an exclusive variant for this actor.