Cybersecurity researchers have disclosed details of a newly identified Linux malware strain known as Showboat, which has reportedly been used in an extended cyber campaign targeting a telecommunications provider in the Middle East since at least mid 2022. According to findings shared by Lumen Technologies’ Black Lotus Labs, the malware operates as a modular post exploitation framework designed specifically for Linux systems, with capabilities that include spawning remote shells, transferring files, and functioning as a SOCKS5 proxy. Security analysts believe the malware was likely deployed by one or more China affiliated threat activity clusters, based on observed links between command and control infrastructure and IP addresses geolocated to Chengdu, the capital of China’s Sichuan province.
Researchers noted that Showboat shares operational similarities with previously identified cyber activity associated with Calypso, also tracked under the names Bronze Medley and Red Lamassu. The threat group has reportedly remained active since at least 2016 and has previously targeted institutions across Brazil, India, Kazakhstan, Russia, Thailand, and Turkey. Public documentation of the group first emerged in 2019 through Positive Technologies. Calypso has been linked to the use of malware frameworks such as PlugX, alongside backdoors including WhiteBird and BYEBY. Security researchers have also connected BYEBY to a broader cluster identified by ESET as Mikroceen, while another related cluster, SixLittleMonkeys, has shown tactical overlaps with a China linked operation known as Webworm. Cybersecurity experts say Showboat now joins a category of malware frameworks such as PlugX, ShadowPad, and NosyDoor, which have reportedly been used across multiple China nexus threat groups, reinforcing the concept of shared tooling and operational resource pooling among state aligned cyber actors.
The investigation into Showboat reportedly began after an ELF binary was uploaded to VirusTotal in May 2025, where it was classified as a sophisticated Linux backdoor with rootkit like functionality. Kaspersky has tracked the same malware artifact under the name EvaRAT. Although researchers have not yet identified the exact method used to initially compromise systems, previous activity attributed to Calypso suggests exploitation through ASPX web shells following software vulnerabilities or compromised default remote access credentials. The group was also among the earliest China aligned actors known to exploit CVE 2021 26855, a Microsoft Exchange Server vulnerability linked to the ProxyLogon exploit chain. Technical analysis revealed that Showboat communicates with command and control servers to collect system information and transmit it back through PNG fields as encrypted and Base64 encoded strings. The malware can also upload and download files, conceal its presence from process lists, manage multiple command servers, and retrieve code snippets hosted on Pastebin to avoid detection on compromised systems.
Researchers believe Showboat’s ability to scan nearby devices and establish connections through SOCKS5 proxying suggests its main purpose is to create a foothold within targeted networks and allow access to machines not directly exposed to the internet. Black Lotus Labs identified two confirmed victims, including an Afghanistan based internet service provider and an unidentified entity in Azerbaijan. Separate infrastructure analysis using similar X.509 certificates also pointed to possible compromises affecting two organizations in the United States and one in Ukraine. Security experts additionally reported the deployment of a Windows based implant called JFMBackdoor during the Afghanistan telecommunications campaign. Delivered through DLL side loading, the malware reportedly supports remote shell execution, file manipulation, screenshot capture, proxy networking, and self removal. According to coordinated analysis by PricewaterhouseCoopers, the focus on Afghanistan’s telecommunications sector aligns closely with broader objectives associated with Red Lamassu’s cyber operations.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
