Showboat malware targets MT companies in the Middle East. It looks like was created by someone linked to Chinese-sponsored organizations and has been utilized against that organization by intelligence sources at least since the middle of 2022.
The Showboat Linux malware China telecom attack was analyzed by Lumen Technologies Black Lotus Labs, and the malware is a modular post-exploitation framework designed for Linux systems capable of spawning a remote shell, transferring files, and functioning as a SOCKS5 proxy.
The investigation began when an ELF binary was uploaded to VirusTotal in May 2025, and the malware scanning platform classified it as a sophisticated Linux backdoor with rootkit-like capabilities, and Kaspersky is tracking the same artifact as EvaRAT.
The Calypso Connection
The Showboat Linux malware China telecom attack has been linked to a threat actor known as Calypso which is also called Bronze Medley and Red Lamassu, and this group has been active since at least September 2016.
Calypso has targeted state institutions in Brazil, India, Kazakhstan, Russia, Thailand, and Turkey, and the group was first publicly documented by Positive Technologies in October 2019.
The Showboat Linux malware China telecom attack shares infrastructure with Calypso, and correlations have been identified between command-and-control (C2) nodes and IP addresses geolocated to Chengdu which is the capital city of the Chinese province of Sichuan.
The Tool Arsenal
Calypso uses several well-known tools in its arsenal including PlugX and backdoors like WhiteBird and BYEBY, and BYEBY is part of a broader cluster tracked by ESET under the moniker Mikroceen.
The use of Mikroceen has been attributed to a cluster known as SixLittleMonkeys, and SixLittleMonkeys shares tactical overlaps with another China-linked group called Webworm.
The Showboat Linux malware China telecom attack joins other shared frameworks like PlugX, ShadowPad, and NosyDoor that have been used by multiple China-nexus groups, and this resource pooling reinforces the presence of a digital quartermaster that state-sponsored threat actors from China have relied on for tooling.
How Showboat Works
The Showboat Linux malware China telecom attack malware is designed to contact a C2 server, gather system information, and transmit that information back to the server in a PNG field as an encrypted and Base64-encoded string.
The malware is also equipped to upload and download files to and from the host machine, and it can conceal its presence from the process list, and it can manage multiple C2 servers.
To hide itself on the host machine, Showboat retrieves a code snippet hosted on Pastebin, and the paste was created on January 11 2022 which is before the first observed attacks.
The Showboat Linux malware China telecom attack can also scan for other devices on the same network and connect to them via the SOCKS5 proxy, and this suggests that the primary purpose of Showboat is to establish a foothold on compromised systems.
The SOCKS5 Proxy Capability
The SOCKS5 proxy feature of the Showboat Linux malware China telecom attack is particularly dangerous because it allows attackers to interact with machines that are not exposed publicly to the internet.
Black Lotus Labs explained that this would allow the attackers to interact with machines that are only accessible via the local area network, and this means a compromised edge device can give attackers access to internal systems that should never touch the public internet.
The Showboat Linux malware China telecom attack effectively turns one compromised Linux server into a gateway for attacking the entire internal network.
Initial Access Vector
Black Lotus Labs security researcher Danny Adamitis told The Hacker News that the exact initial access vector used to deliver the Showboat Linux malware China telecom attack is currently unknown.
However, in the past Calypso has been observed leveraging an ASPX web shell after exploiting a flaw or breaking into a default account used for remote access, and the adversary was also among the earliest China-aligned groups to weaponize CVE-2021-26855.
CVE-2021-26855 is a security vulnerability in Microsoft Exchange Server that serves as the first step in an exploit chain called ProxyLogon, and this vulnerability was widely exploited in 2021.
The Victims
Infrastructure analysis of the Showboat Linux malware China telecom attack has uncovered two specific victims.
An Afghanistan-based internet service provider (ISP) was compromised, and another unknown entity located in Azerbaijan was also victimized.
A secondary C2 cluster using similar X.509 certificates as the original C2 server has uncovered two possible compromises in the United States and one in Ukraine, and this indicates the campaign may be broader than initially understood.
The Showboat Linux malware China telecom attack targeting of Afghanistan and its telecommunications sector aligns with what researchers assess to almost certainly be Calypso's wider operational goals and objectives according to PricewaterhouseCoopers (PwC).
JFMBackdoor Windows Implant
In the same campaign targeting the telecommunications provider in Afghanistan, Calypso also used a fully featured Windows implant called JFMBackdoor.
The Showboat Linux malware China telecom attack Windows component is delivered via DLL side-loading, and the attack chain involves a batch script that is used to launch a legitimate executable that then loads a rogue DLL.
JFMBackdoor supports a wide range of capabilities including remote shell access, file operations, network proxying, screenshot capture, and self-removal, and this Windows tool complements the Linux-focused Showboat.
The Pastebin Rootkit Technique
The Showboat Linux malware China telecom attack uses an unusual rootkit technique involving Pastebin.
The malware retrieves a code snippet hosted on Pastebin, and this code helps the malware conceal its presence from process listing tools, and the paste was created on January 11 2022 which is significant because it predates the earliest known samples.
Using Pastebin for rootkit code allows the Showboat Linux malware China telecom attack operators to update the hiding mechanism without modifying the malware binary itself, and they can simply change the Pastebin content.
Resource Pooling Among Chinese Groups
The Showboat Linux malware China telecom attack highlights a pattern of resource pooling among Chinese state-sponsored threat actors.
PlugX, ShadowPad, and NosyDoor have all been used by multiple groups, and Showboat appears to be another shared framework, and this suggests that there is a central organization or a set of trusted developers who supply tooling to multiple operational units.
According to Black Lotus Labs, this is digital quartermaster utilized by state-sponsored threat actors from China to source required tooling, while allowing the actors to focus on their own operations with one entity being responsible for creating and maintaining malware.
Why Telecom Providers Are Targeted
The Showboat Linux malware China telecom attack targeting of a telecommunications provider is consistent with Chinese espionage priorities.
Telecom providers have access to vast amounts of communications data, they can intercept calls and messages, and they can see who is talking to whom and when.
A compromised telecom provider may act as a springboard to compromise other organizations; because businesses and government utilize telecom services to communicate with each other.
The malware Showboat Linux was utilized in the China telecom attack against an Afghanistan ISP and this attacks significance was due to the geopolitical location of Afghanistan throughout history; thus, many countries show interest in what goes on there.
Continues to Attack for Years
The Showboat Linux malware China's telecom attack has been present since at least the mid-2022 time frame and therefore the same family of malware has been in operation for almost three years at the time of this report.
The Pastebin code snippet that was created (aloud) in January 2022 creates a lower limit for the development of the malware and the submission to VirusTotal (May 2025) indicates that it is still active now (2025).
Long term campaigns of this type are especially dangerous because they demonstrate that the attackers had established persistent access, and victims have not detected or removed this malware.
How to Protect Your Network
The Showboat Linux malware China telecom attack offers lessons for network defenders.
1. Monitor Pastebin retrievals; some malware retrieves its code from Pastebin, and organizations can monitor for unexpected or unauthorized connections from their production servers to Pastebin.
2. Look for SOCKS5 proxy traffic. The Showboat Linux malware China telecom attack uses the SOCKS5 protocol for lateral movement, and any unusual SOCKS5 traffic on a network might indicate a compromised system.
3. Search for Backdoors (in Linux): Backdoor malware is a constant threat, and you will typically find them in your environment using a scan that looks for new or non-compliance Linux Processes and/or Network Connections.
4. Audit All Remote Access Accounts: Historically, Calypso has created multiple Default User Accounts that they have Compromised Credential of; therefore, when accessing remotely enforcing Strong Password Policies and implementing Multi-Factor Authentication will help lower their risk.
5. Patch Vulnerabilities in Exchange Servers. Calypso weaponized ProxyLogon against Exchange Server vulnerabilities early on, and therefore, applying patches for Exchange Server vulnerabilities continues to be of utmost importance.
Final Thoughts
The China Telecom attack involving Showboat Linux Malware is further evidence of a state-sponsored espionage campaign being run by China against critical infrastructures / systems, where telecom industries within both AA and AF have been a target since at least 2022.
The malware itself is very advanced – it has rootkit-like functionality and can hide from process lists; it can also proxy its communications through hacked systems (for example, it can establish multiple communication pathways) as well as provide an attacker with long-term (potentially permanent) access to a host system.
Additionally, the Showboat Linux malware China Telecom attack exemplifies the collaborative resource sharing strategy employed by many of today’s Chinese cyber threat actors. Showboat Linux is one of several platforms used by several separate groups of cyber actors, including PlugX, ShadowPad, and NosyDoor, which share the same code base across multiple platforms.
The attack on an Afghanistan ISP is particularly concerning because Afghanistan's telecommunications infrastructure is critical to international military, diplomatic, and humanitarian operations, and any compromise of that infrastructure has strategic implications.
If you run Linux servers in a telecom environment or any critical infrastructure, monitor for Showboat indicators, check for Pastebin connections, and assume that attackers may already be inside your network.
FAQ Section
What is Showboat Linux malware?
Showboat is a modular post-exploitation framework designed for Linux systems, it is capable of spawning a remote shell, transferring files, functioning as a SOCKS5 proxy, and hiding itself from process lists using code retrieved from Pastebin.
Who was behind the Showboat Linux malware China telecom attack?
The Showboat Linux malware China telecommunications attack was perpetrated by the Calypso Group (by any of its many names: Bronze Medley; Red Lamassu) which is a Chinese state-sponsored entity that has conducted cybercrime against telecommunications companies around the world since 2016 and operates out of Chengdu, China.
What telecoms were caught up in the Showboat assaults?
Subordinate infrastructure linked to the Showboat cyberattack shows that both an ISP in Afghanistan and an unidentified entity in Azerbaijan were victims of the Showboat attack, as well as potentially Americans and Ukrainians.
How does Showboat mask itself?
Showboat obtains a code snippet from Pastebin (created on 1/11/2022) which enables the malware to disguise itself from process listing utilities. This method allows the operator of Showboat to upgrade the concealment mechanism without changing the malware binary.
What other malware does Calypso employ?
Calypso employs PlugX, WhiteBird, BYEBY (Mikroceen), and JFMBackdoor which is a Windows implant propagated through DLL Side-Loading, and these tools are shared by various Chinese threat actor organisations via a resource pooling framework.