A new Linux post‑exploitation framework called Showboat has been used by China‑linked threat groups to infiltrate a telecom provider in the Middle East. The modular malware can spawn remote shells, act as a SOCKS5 proxy, and hide its activity with rootkit‑like techniques. Researchers detail the campaign, its ties to known actors, and steps organizations can take to defend against similar attacks.
Showboat malware resurfaces in a multi‑year campaign against a Middle‑East telecom operator
Security researchers at Lumen Technologies’ Black Lotus Labs have uncovered a Linux‑based backdoor, Showboat, that has been active against a major telecommunications provider in the Middle East since at least mid‑2022. The modular framework can open a remote shell, transfer files, and, most notably, expose the compromised host as a SOCKS5 proxy for lateral movement inside otherwise isolated networks.
Who is behind the operation?
The investigators linked the payload to Calypso – a threat group also known as Bronze Medley or Red Lamassu. Calypso has been active since 2016, targeting state entities in Brazil, India, Kazakhstan, Russia, Thailand, and Turkey. Its tooling overlaps with other China‑aligned clusters such as SixLittleMonkeys, Webworm, and the broader Mikroceen family tracked by ESET.
“The reuse of shared frameworks like PlugX, ShadowPad, and now Showboat points to a digital quartermaster that supplies multiple state‑sponsored actors,” said Danny Adamitis, senior researcher at Black Lotus Labs.
Geolocation of command‑and‑control (C2) servers shows a concentration of IP addresses in Chengdu, Sichuan Province, China, reinforcing the attribution.
How Showboat works
| Feature | Description |
|---|---|
| Modular architecture | Loads additional payloads on demand, allowing attackers to extend capabilities without redeploying the core binary. |
| Remote shell & file ops | Executes arbitrary commands, uploads/downloads files, and can self‑remove to erase traces. |
| SOCKS5 proxy | Turns the infected host into a proxy, enabling access to internal LAN devices that lack direct internet exposure. |
| Stealth techniques | Hides its process from standard listings, injects code snippets retrieved from a Pastebin paste (created 2022‑01‑11), and encodes exfiltrated data in a PNG image using Base64 and custom encryption. |
| C2 communication | Uses TLS‑wrapped HTTP with X.509 certificates; a secondary C2 cluster shares the same certificate chain, suggesting a tiered infrastructure. |
The initial sample surfaced on VirusTotal in May 2025 and was classified as a sophisticated Linux backdoor with rootkit‑like behavior. Kaspersky labels the artifact EvaRAT.
Delivery chain – what we know
The exact initial access vector remains unclear, but historical Calypso activity provides clues:
- ASPX web shells deployed after exploiting vulnerable or default remote‑access accounts.
- Early weaponization of CVE‑2021‑26855 (ProxyLogon) to gain footholds in Microsoft Exchange environments.
- In the current campaign, a Windows implant named JFMBackdoor is delivered via DLL side‑loading, triggered by a batch script that launches a legitimate executable before loading the malicious DLL.
Impact and collateral victims
Beyond the primary telecom target, infrastructure analysis revealed:
- An Afghanistan‑based ISP compromised with the same framework.
- An Azerbaijan entity showing similar indicators of compromise.
- Two possible infections in the United States and one in Ukraine tied to the secondary C2 cluster.
These findings illustrate the cross‑regional reach of the group’s tooling and the risk of lateral movement through internal proxies.
Practical steps for defenders
- Audit Linux assets for unknown binaries – Look for ELF files with suspicious strings such as
png,base64, or references to Pastebin URLs. - Monitor outbound TLS traffic – Showboat uses HTTPS to a limited set of C2 domains; anomalous connections to IPs in Sichuan should raise alerts.
- Enforce strict DLL loading policies on Windows – Use
AppLockerorWindows Defender Application Controlto block unsigned side‑loaded DLLs. - Network segmentation – Isolate critical telecom infrastructure from general-purpose servers; limit internal traffic that can be proxied via SOCKS5.
- Leverage threat‑intel feeds – Add the X.509 certificate fingerprints and known C2 IP ranges to your IDS/IPS signatures.
“While some actors rely on native system tools for stealth, others still deploy persistent implants like Showboat. Detection requires a blend of endpoint monitoring and network‑level threat hunting,” warned Adamitis.
Looking ahead
The Showboat campaign underscores how Chinese‑state‑aligned groups continue to recycle and evolve shared codebases, blurring the lines between distinct actors. Organizations that operate critical infrastructure—especially telecom providers—should prioritize visibility into internal proxy usage and maintain up‑to‑date threat‑intel on emerging Linux‑focused malware.
Resources
- Black Lotus Labs report on Showboat (PDF) – [link to report]
- Kaspersky’s EvaRAT analysis – https://www.kaspersky.com/resource-center/threats/evarat
- ESET’s Mikroceen tracking page – https://www.eset.com/int/about/our-research/mikroceen
- CVE‑2021‑26855 (ProxyLogon) details – https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE‑2021‑26855
![[Webinar] How Modern Attack Paths Cross Code, Pipelines, and Cloud](https://news.lavx.hu/api/media/file/showboat-linux-malware-hits-middle-east-telecom-with-socks5-proxy-backdoor-2_1779389152252.jpg)
Stay vigilant, keep your systems patched, and regularly review outbound traffic patterns to catch covert proxies before they become a bridge for deeper intrusion.
Comments
Please log in or register to join the discussion