Cybersecurity researchers have disclosed details of a new Linux malware dubbed Showboat that has been put to use in a campaign targeting a telecommunications provider in the Middle East since at least mid-2022.
“Showboat is a modular post-exploitation framework designed for Linux systems, capable of spawning a remote shell, transferring files, and functioning as a SOCKS5 proxy,” Lumen Technologies Black Lotus Labs said in a report shared with The Hacker News.
It’s assessed that the malware has been employed by at least one, and possibly more, threat activity clusters affiliated with China, with correlations identified between command-and-control (C2) nodes and IP addresses geolocated to Chengdu, the capital city of the Chinese province of Sichuan.
One such threat actor is Calypso (aka Bronze Medley and Red Lamassu), which is known to be active since at least September 2016, targeting state institutions in Brazil, India, Kazakhstan, Russia, Thailand, and Turkey. It was first publicly documented by Positive Technologies in October 2019.
Some of the key tools in its arsenal include PlugX and backdoors like WhiteBird and BYEBY, the latter of which is part of a broader cluster tracked by ESET under the moniker Mikroceen. The use of Mikroceen has been attributed to a closer known as SixLittleMonkeys, which, in turn, shares tactical overlaps with another China-linked group referred to as Webworm.
This puts Showboat along with other shared frameworks like PlugX, ShadowPad, and NosyDoor that have been used by multiple China-nexus groups. This “resource pooling” reinforces the presence of a digital quartermaster that state-sponsored threat actors from China have relied on to supply them with necessary tooling.
The starting point of the investigation was an ELF binary that was uploaded to VirusTotal in May 2025, with the malware scanning platform classifying it as a sophisticated Linux backdoor with rootkit-like capabilities. Kaspersky is tracking the artifact as EvaRAT.
Black Lotus Labs security researcher Danny Adamitis told The Hacker News that the exact initial access vector used to deliver the malware is currently unknown. However, in the past, Calypso has been observed leveraging an ASPX web shell after exploiting a flaw or breaking into a default account used for remote access.
The adversary was also among the earliest China-aligned groups to weaponize CVE-2021-26855, a security vulnerability in Microsoft Exchange Server that serves as the first step in an exploit chain called ProxyLogon.
The malware is designed to contact a C2 server, gather system information, and transmit the information back to the server in a PNG field as an encrypted and Base64-encoded string. It’s also equipped to upload and download files to and from the host machine, conceal its presence from the process list, and manage C2 servers.
To hide itself on the host machine, Showboat retrieves a code snippet hosted on Pastebin. The paste was created on January 11, 2022. Furthermore, the malware can scan for other devices and connect to them via the SOCKS5 proxy. This suggests that the primary purpose of Showboat is to establish a foothold on compromised systems.
“This would allow the attackers to interact with machines that are not exposed publicly to the internet and only accessible via the LAN,” Black Lotus Labs said.
Further infrastructure analysis has uncovered two victims: an Afghanistan-based internet service provider (ISP) and another unknown entity located in Azerbaijan. A secondary C2 cluster using similar X.509 certificates as the original C2 server has uncovered two possible compromises in the U.S. and one in Ukraine.
“While some threat actors are increasingly using stealthy, native system tools to evade detection, others still deploy persistent malware implants,” Adamitis said. “The presence of such threats should be taken as an early warning sign, indicating the potential for broader and more serious security issues within affected networks.”
Also put to use by Calypso in the campaign targeting the telecommunications provider in Afghanistan is a fully featured Windows implant codenamed JFMBackdoor that’s delivered via DLL side-loading.
The attack chain involves a batch script that’s used to launch a legitimate executable that then loads the rogue DLL. JFMBackdoor supports a wide range of capabilities, including remote shell access, file operations, network proxying, screenshot capture, and self-removal.
“The targeting of Afghanistan and its telecommunications sector aligns with what we assess to almost certainly be Red Lamassu’s wider operational goals and objectives,” PricewaterhouseCoopers (PwC) said in a coordinated report.
