Showboat Linux Malware Targets Middle East Telecom with Advanced SOCKS5 Proxy Backdoor
Cybersecurity researchers have recently unveiled a sophisticated Linux malware known as Showboat, which has been actively employed in a targeted campaign against a telecommunications provider in the Middle East since at least mid-2022. This malware represents a significant threat, showcasing advanced capabilities that could have far-reaching implications for cybersecurity in the region.
Overview of Showboat’s Capabilities
Showboat is described as a modular post-exploitation framework specifically designed for Linux systems. It possesses the ability to spawn a remote shell, transfer files, and operate as a SOCKS5 proxy. According to Lumen Technologies’ Black Lotus Labs, the malware’s architecture allows it to execute various malicious tasks, making it a versatile tool for cyber adversaries.
The malware has been linked to at least one, and potentially multiple, threat activity clusters associated with China. Investigations have revealed connections between command-and-control (C2) nodes and IP addresses traced back to Chengdu, the capital of Sichuan province in China.
Threat Actor Profile: Calypso
One of the prominent threat actors utilizing Showboat is identified as Calypso, also known by aliases such as Bronze Medley and Red Lamassu. This group has been active since at least September 2016, targeting state institutions across several countries, including Brazil, India, Kazakhstan, Russia, Thailand, and Turkey. Calypso was first documented publicly by Positive Technologies in October 2019.
The group employs a range of tools in its operations, including PlugX and various backdoors like WhiteBird and BYEBY. The latter is part of a broader cluster monitored by ESET under the name Mikroceen. Notably, Mikroceen has been linked to another group known as SixLittleMonkeys, which shares operational tactics with the China-linked group Webworm.
Resource Pooling Among Threat Actors
Showboat’s emergence aligns it with other shared frameworks such as PlugX, ShadowPad, and NosyDoor, which have been utilized by multiple groups with ties to China. This phenomenon of “resource pooling” underscores the existence of a digital quartermaster that state-sponsored actors in China rely on for essential tools and malware frameworks.
The investigation into Showboat began with an ELF binary uploaded to VirusTotal in May 2025, which was classified as a sophisticated Linux backdoor with rootkit-like functionalities. Kaspersky has designated this artifact as EvaRAT.
Delivery and Initial Access
The precise method of initial access for Showboat remains unclear. However, historical data indicates that Calypso has previously exploited vulnerabilities, such as utilizing an ASPX web shell after breaching a default remote access account. This tactic highlights the group’s adaptability and resourcefulness in infiltrating targeted networks.
Calypso has also been among the first China-aligned groups to weaponize CVE-2021-26855, a vulnerability in Microsoft Exchange Server that serves as a critical entry point in the exploit chain known as ProxyLogon.
Technical Functionality and Operations
Showboat is engineered to establish communication with a C2 server, collect system information, and relay this data back in an encrypted and Base64-encoded format within a PNG field. Additionally, it can upload and download files from the host machine, conceal its presence from the process list, and manage C2 servers effectively.
To maintain stealth, Showboat retrieves a code snippet hosted on Pastebin, created on January 11, 2022. The malware can also scan for other devices and connect to them via the SOCKS5 proxy, indicating its primary objective is to establish a persistent presence on compromised systems. This capability allows attackers to interact with machines that are not publicly accessible, thereby enhancing their operational reach.
Victims and Geographic Impact
Further analysis of Showboat’s infrastructure has identified two victims: an internet service provider (ISP) based in Afghanistan and another unidentified entity in Azerbaijan. A secondary C2 cluster, utilizing similar X.509 certificates as the primary server, has revealed potential compromises in the United States and Ukraine.
The presence of such threats serves as an early warning sign, indicating the possibility of broader security issues within affected networks. As noted by Black Lotus Labs, while some threat actors increasingly rely on stealthy, native system tools to evade detection, others continue to deploy persistent malware implants.
Additional Tools in the Campaign
In conjunction with Showboat, Calypso has also utilized a Windows implant known as JFMBackdoor, which is delivered via DLL side-loading. This attack chain involves a batch script that launches a legitimate executable, which subsequently loads the malicious DLL. JFMBackdoor offers a wide array of capabilities, including remote shell access, file operations, network proxying, screenshot capture, and self-removal.
The targeting of Afghanistan’s telecommunications sector aligns with what PricewaterhouseCoopers (PwC) describes as Red Lamassu’s broader operational goals. This focus on critical infrastructure underscores the strategic intent behind such cyber operations.
For more information on this developing story, visit thehackernews.com.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
