Cybersecurity experts have revealed details about a new Linux-based malware called Showboat, which has been actively used in attacks against a Middle Eastern telecom company since at least mid-2022.
According to a report from Lumen Technologies’ Black Lotus Labs, shared with The Hacker News, Showboat is a flexible post-exploitation tool built for Linux environments. It can create remote shells, move files between systems, and act as a SOCKS5 proxy for network traffic.
Researchers believe the malware has been used by one or more threat groups linked to China. Connections were found between the command-and-control (C2) servers and IP addresses traced to Chengdu, the capital of China’s Sichuan province.
One identified group is Calypso (also known as Bronze Medley and Red Lamassu), which has been operating since at least September 2016. This group has targeted government organizations in Brazil, India, Kazakhstan, Russia, Thailand, and Turkey. Positive Technologies first publicly reported on Calypso in October 2019.
Calypso’s toolkit includes PlugX and backdoors such as WhiteBird and BYEBY. BYEBY belongs to a larger set of tools tracked by ESET as Mikroceen, which has been linked to an actor called SixLittleMonkeys. This actor shares techniques with another China-associated group known as Webworm.
Showboat joins other shared tools like PlugX, ShadowPad, and NosyDoor that multiple China-connected groups have used. This “resource sharing” supports the idea of a central digital supply system that Chinese state-sponsored hackers rely on for their operations.
The investigation began with an ELF binary uploaded to VirusTotal in May 2025. The malware scanning service identified it as an advanced Linux backdoor with rootkit-like features. Kaspersky tracks this malware as EvaRAT.
Black Lotus Labs researcher Danny Adamitis told The Hacker News that the exact method used to initially deploy the malware remains unknown. However, Calypso has previously been seen using an ASPX web shell after exploiting vulnerabilities or accessing default remote access accounts.
The group was also among the first China-linked actors to exploit CVE-2021-26855, a Microsoft Exchange Server vulnerability that serves as the entry point for the ProxyLogon attack chain.
Showboat is designed to connect to a C2 server, collect system details, and send this data back as an encrypted, Base64-encoded string hidden within a PNG file. It can also upload and download files, hide itself from process listings, and manage multiple C2 servers.
To avoid detection, Showboat downloads a code snippet from Pastebin. This paste was created on January 11, 2022. Additionally, the malware can scan for other devices and connect to them through the SOCKS5 proxy, suggesting its main purpose is to establish a persistent presence on compromised systems.
“This would enable attackers to access machines that aren’t publicly reachable online and are only available through the local network,” Black Lotus Labs explained.
Further analysis of the infrastructure revealed two victims: an internet service provider (ISP) based in Afghanistan and another unidentified target in Azerbaijan. A secondary C2 cluster using similar X.509 certificates to the original server uncovered two potential compromises in the U.S. and one in Ukraine.
“While some threat actors are increasingly using built-in system tools to avoid detection, others continue to deploy persistent malware implants,” Adamitis noted. “The presence of such threats should serve as an early warning, signaling the possibility of broader and more severe security problems within affected networks.”
Calypso also used a fully featured Windows implant called JFMBackdoor in the campaign against the Afghan telecommunications provider. This malware is delivered through DLL side-loading.
The attack process involves a batch script that launches a legitimate executable, which then loads the malicious DLL. JFMBackdoor offers extensive capabilities, including remote shell access, file management, network proxying, screenshot capture, and self-deletion.
“The focus on Afghanistan and its telecommunications sector aligns with what we assess to almost certainly be Red Lamassu’s broader operational goals and objectives,” PricewaterhouseCoopers (PwC) stated in a coordinated report.
