An email server controlled by the Afghan telecommunication company Roshan was targeted by a Chinese threat actor since at least early 2021. Calypso’s data exfiltration activity spiked in August and September 2021, coinciding with the United States military’s withdrawal from Afghanistan.