Cybersecurity researchers have uncovered a sophisticated new Linux malware strain called Showboat, which has reportedly been used in attacks against a telecommunications provider in the Middle East since at least mid-2022.
According to a recent report from Black Lotus Labs, the malware operates as a modular post-exploitation framework for Linux systems. Once deployed, it can open remote shells, transfer files, and even function as a SOCKS5 proxy to help attackers move laterally across compromised networks.
Researchers believe the malware is connected to one or more China-linked threat groups. Investigators identified command-and-control (C2) infrastructure tied to IP addresses located in Chengdu, the capital of China’s Sichuan province, strengthening suspicions of Chinese state-sponsored involvement.
Possible Links to Calypso Threat Group
One of the threat actors believed to be associated with the campaign is Calypso, also known as Bronze Medley and Red Lamassu. The group has been active since at least 2016 and has previously targeted government organizations and institutions across Brazil, India, Kazakhstan, Russia, Thailand, and Turkey.
Calypso is known for using malware families such as PlugX, along with custom backdoors including WhiteBird and BYEBY. Security researchers have also connected the group to broader Chinese cyber-espionage ecosystems involving clusters like Mikroceen, SixLittleMonkeys, and Webworm.
Experts say Showboat joins a growing list of malware frameworks — including ShadowPad, NosyDoor, and PlugX — that are shared among multiple China-aligned threat groups. This pattern suggests the existence of a centralized “digital quartermaster” supplying offensive cyber tools to various state-backed operations.
Malware First Detected on VirusTotal
The investigation reportedly began after researchers discovered an ELF binary uploaded to VirusTotal in May 2025. The sample was classified as a highly advanced Linux backdoor with rootkit-like behavior. Kaspersky has since tracked the malware under the name EvaRAT.
At this stage, the exact initial infection method remains unknown. However, researchers noted that Calypso has historically gained access through exploited vulnerabilities, compromised remote-access accounts, or ASPX web shells.
The group was also among the first China-linked actors to exploit the infamous ProxyLogon attack chain targeting Microsoft Exchange Server vulnerabilities, including CVE-2021-26855.
How Showboat Works
Once installed, Showboat connects to a remote C2 server and collects detailed system information from the infected device. The data is then encrypted, Base64-encoded, and hidden inside PNG image fields before being transmitted back to the attackers.
The malware also supports:
- Uploading and downloading files
- Hiding malicious processes from system process lists
- Managing multiple C2 servers
- Scanning local networks for additional devices
- Acting as a SOCKS5 proxy for internal network access
To avoid detection, Showboat retrieves obfuscation-related code snippets hosted on Pastebin. Researchers found that one of these Pastebin entries was originally created in January 2022.
Security analysts believe the malware’s primary objective is to establish persistent access within targeted environments and enable attackers to pivot deeper into internal networks that are not directly accessible from the public internet.
Additional Victims Identified
Infrastructure analysis uncovered possible victims including an internet service provider in Afghanistan and another unidentified organization in Azerbaijan. Investigators also identified a secondary C2 cluster that may be linked to compromises in the United States and Ukraine.
Black Lotus Labs researcher Danny Adamitis warned that the presence of malware implants like Showboat could indicate deeper security breaches inside affected organizations.
Windows Malware Also Used in the Campaign
Researchers additionally discovered that the attackers deployed a Windows-based implant known as JFMBackdoor during the same campaign.
The malware was delivered using a DLL side-loading technique, where a malicious DLL is loaded through a legitimate executable launched by a batch script.
JFMBackdoor offers attackers extensive capabilities, including:
- Remote command execution
- File management
- Network proxying
- Screenshot capture
- Self-deletion for stealth
According to a coordinated report from PricewaterhouseCoopers (PwC), the targeting of Afghanistan’s telecommunications sector strongly aligns with Red Lamassu’s broader intelligence-gathering objectives.
Rising Threat of Cross-Platform Cyber Espionage
The discovery of Showboat highlights the increasing sophistication of cyber-espionage campaigns targeting Linux environments, which are often less monitored than Windows systems.
Security experts recommend organizations strengthen endpoint monitoring, patch internet-facing services promptly, and closely inspect unusual outbound traffic patterns to detect advanced persistent threats before they spread deeper into enterprise networks.
