Cybersecurity researchers have disclosed details of a new Linux malware, dubbed Showboat, used in a campaign targeting a telecommunications provider in the Middle East since at least mid-2022. The findings come from Lumen Technologies' Black Lotus Labs, which describes Showboat as a modular post-exploitation framework designed for Linux systems, capable of spawning a remote shell, transferring files, and functioning as a SOCKS5 proxy.
The malware is assessed to have been deployed by at least one, and possibly more, threat activity clusters affiliated with China. Correlations have been identified between command-and-control (C2) nodes and IP addresses geolocated to Chengdu, China. One known threat actor is Calypso (also known as Bronze Medley and Red Lamassu), active since at least September 2016, targeting state institutions in Brazil, India, Kazakhstan, Russia, Thailand, and Turkey.
Calypso's arsenal includes PlugX and backdoors like WhiteBird and BYEBY, the latter part of a broader cluster tracked by ESET as Mikroceen, attributed to a group called SixLittleMonkeys, which shares tactical overlaps with another China-linked group known as Webworm. Showboat thus joins other shared frameworks like PlugX, ShadowPad, and NosyDoor used by multiple China-nexus groups, suggesting a digital quartermaster supplying tooling to state-sponsored threat actors.
The investigation began with an ELF binary uploaded to VirusTotal in May 2025, classified by Kaspersky as EvaRAT, a sophisticated Linux backdoor with rootkit-like capabilities. The exact initial access vector is unknown, but Calypso has previously used ASPX web shells after exploiting flaws or gaining access via default remote access accounts. The group was also among the first to weaponize CVE-2021-26855 (ProxyLogon) against Microsoft Exchange Server.
Showboat contacts a C2 server, gathers system information, and transmits it back in a PNG field as an encrypted Base64 string. It can upload/download files, hide from process lists, and manage C2 servers. To conceal itself, it retrieves code from Pastebin (created January 11, 2022). The malware can also scan for other devices and connect via SOCKS5 proxy, establishing a foothold to interact with machines not publicly exposed.
Infrastructure analysis revealed two victims: an Afghanistan-based internet service provider (ISP) and an unknown entity in Azerbaijan. A secondary C2 cluster using similar X.509 certificates uncovered possible compromises in the US and Ukraine. Black Lotus Labs notes that while some threat actors use stealthy native tools, others deploy persistent malware, which should serve as an early warning for broader network issues.
In the campaign targeting the Afghanistan telecom, Calypso also deployed a Windows implant called JFMBackdoor via DLL side-loading. The attack chain uses a batch script to launch a legitimate executable that loads the rogue DLL. JFMBackdoor supports remote shell access, file operations, network proxying, screenshot capture, and self-removal. PricewaterhouseCoopers (PwC) noted that the targeting aligns with Red Lamassu's operational goals.
