Showboat Linux Malware Targets Middle East Telecoms with Advanced Backdoor
Cybersecurity experts have recently identified a sophisticated Linux malware, dubbed Showboat, actively targeting telecommunications providers in the Middle East since mid-2022. This modular post-exploitation framework is engineered to establish remote shells, facilitate file transfers, and operate as a SOCKS5 proxy, thereby enabling attackers to maintain persistent access and control over compromised systems.
Lumen Technologies’ Black Lotus Labs, in a detailed report, highlighted that Showboat has been utilized by at least one, potentially multiple, threat groups linked to China. Notably, command-and-control (C2) servers associated with the malware trace back to IP addresses in Chengdu, Sichuan Province.
One prominent group implicated is Calypso, also known as Bronze Medley and Red Lamassu. Active since at least September 2016, Calypso has a history of targeting governmental institutions across Brazil, India, Kazakhstan, Russia, Thailand, and Turkey. Their arsenal includes tools like PlugX and backdoors such as WhiteBird and BYEBY. The latter is part of a broader cluster identified by ESET as Mikroceen, which is linked to another China-affiliated group, SixLittleMonkeys. This group shares operational tactics with Webworm, another entity connected to Chinese state-sponsored cyber activities.
Showboat aligns with other shared frameworks like PlugX, ShadowPad, and NosyDoor, all of which have been employed by various China-linked groups. This pattern suggests a centralized development and distribution of cyber tools among these actors, reinforcing the concept of a digital quartermaster supplying state-sponsored threat groups with necessary resources.
The investigation into Showboat began with the discovery of an ELF binary uploaded to VirusTotal in May 2025. This binary was identified as a sophisticated Linux backdoor with rootkit-like capabilities. Kaspersky has since tracked this artifact under the name EvaRAT.
The exact method of initial infection remains unclear. Historically, groups like Calypso have exploited vulnerabilities or default remote access accounts to deploy ASPX web shells. Notably, Calypso was among the first to exploit CVE-2021-26855, a critical vulnerability in Microsoft Exchange Server, as part of the ProxyLogon exploit chain.
Once deployed, Showboat communicates with its C2 server, collects system information, and transmits it back in an encrypted, Base64-encoded format embedded within a PNG file. The malware is capable of uploading and downloading files, concealing its processes to evade detection, and managing C2 servers. To maintain stealth, Showboat retrieves obfuscation code from Pastebin, with records indicating such a paste was created on January 11, 2022.
A significant feature of Showboat is its ability to scan for other devices within the local network and connect to them via the SOCKS5 proxy. This functionality allows attackers to interact with machines not directly exposed to the internet but accessible through the local area network (LAN).
Further analysis revealed two confirmed victims: an internet service provider in Afghanistan and another unidentified entity in Azerbaijan. Additionally, a secondary C2 cluster, utilizing similar X.509 certificates as the primary server, indicated potential compromises in the United States and Ukraine.
Danny Adamitis, a security researcher at Black Lotus Labs, emphasized the significance of such persistent malware implants. He noted that while some threat actors increasingly rely on native system tools to evade detection, others continue to deploy enduring malware. The presence of such threats serves as an early warning, indicating potential broader security issues within affected networks.
In the campaign targeting the Afghan telecommunications provider, Calypso also deployed a comprehensive Windows implant named JFMBackdoor. Delivered through DLL side-loading, this backdoor offers extensive capabilities, including remote shell access, file operations, network proxying, screenshot capture, and self-removal.
The attack sequence involves a batch script that launches a legitimate executable, which then loads the malicious DLL. PricewaterhouseCoopers (PwC) noted that targeting Afghanistan’s telecommunications sector aligns with Red Lamassu’s broader operational objectives.
This incident underscores the evolving landscape of cyber threats in the Middle East, highlighting the need for robust cybersecurity measures and continuous vigilance against sophisticated state-sponsored attacks.
