Cybersecurity researchers have detailed a new Linux malware family called Showboat that has been used against a telecommunications provider in the Middle East since at least mid-2022, with evidence tied to victims in Afghanistan, Azerbaijan, the United States and Ukraine.
KEY FACTS
- Malware Showboat is a modular post-exploitation framework for Linux systems.
- Capabilities It can spawn a remote shell, transfer files and act as a SOCKS5 proxy.
- Targets Infrastructure analysis identified an Afghanistan-based ISP and another victim in Azerbaijan.
- Attribution The activity is assessed to involve at least one China-linked cluster, including Calypso.
A technical analysis from Lumen Technologies Black Lotus Labs says the malware first came to light through an ELF binary uploaded to VirusTotal in May 2025. The file was classified by the scanning platform as a Linux backdoor with rootkit-like features, and Kaspersky tracks it as EvaRAT.
The exact initial access method is still unknown. In past operations, the same group has used an ASPX web shell after exploiting a flaw or by breaking into a default remote-access account.
The report says Showboat contacts a command-and-control server, gathers system information and sends it back in an encrypted, Base64-encoded PNG field. It can also upload and download files, hide from the process list and manage C2 servers.
To conceal itself on the host, the malware retrieves a code snippet from Pastebin. The paste was created on January 11, 2022. It can also scan for other devices and connect to them through the SOCKS5 proxy, which suggests the goal is to maintain a foothold on compromised systems.
Further analysis uncovered a separate Windows implant called JFMBackdoor that is delivered through DLL side loading. It supports remote shell access, file operations, network proxying, screenshot capture and self-removal.
The disclosure says the targeting of Afghanistan and its telecommunications sector aligns with wider operational goals linked to Red Lamassu. The presence of persistent implants on telecom networks can give attackers access to internal systems that are not exposed to the internet.
WHY IT MATTERS
The campaign shows how Linux and Windows malware can be combined to maintain access inside telecom networks and move laterally across internal systems. It also adds to evidence that multiple China-linked groups may share tooling and infrastructure for long-term espionage operations.