Cybersecurity experts have revealed details about a new Linux malware known as Showboat, which has been utilized in a targeted campaign against a telecommunications company in the Middle East since mid-2022.
Showboat is described as a modular post-exploitation framework for Linux systems, capable of creating a remote shell, transferring files, and operating as a SOCKS5 proxy. It is believed that this malware has been deployed by threat actors affiliated with China, with connections to IP addresses located in Chengdu, Sichuan.
One of the threat actors linked to the use of Showboat is Calypso, also known as Bronze Medley and Red Lamassu, which has been active since at least September 2016. This group has targeted state institutions in various countries, including Brazil, India, Kazakhstan, Russia, Thailand, and Turkey.
The malware’s capabilities and tactics align it with other tools used by China-based threat groups, such as PlugX, ShadowPad, and NosyDoor. This suggests a coordinated effort by state-sponsored actors to equip themselves with the necessary resources for cyber operations.
The investigation into Showboat began with the discovery of an ELF binary uploaded to VirusTotal in May 2025, classified as a sophisticated Linux backdoor with rootkit-like features. Kaspersky has identified this artifact as EvaRAT.
The initial access vector used to distribute the malware remains unknown, but past observations suggest that Calypso has leveraged web shells and vulnerabilities to gain entry into systems. Showboat is designed to communicate with a command-and-control server, gather system information, evade detection, and establish a foothold on compromised systems.
Infrastructure analysis has revealed victims in Afghanistan, Azerbaijan, the U.S., and Ukraine, indicating a widespread impact of the campaign. The presence of persistent malware implants underscores the importance of vigilance against cybersecurity threats.
In addition to Showboat, Calypso has deployed a Windows implant named JFMBackdoor in the campaign targeting the Afghan telecommunications sector. This implant supports various functions, including remote access, file operations, network proxying, and self-removal.
The targeting of telecommunications companies in Afghanistan aligns with the broader objectives of threat actors like Red Lamassu, highlighting the ongoing cybersecurity challenges faced by organizations in the region.
Overall, the discovery of Showboat and related malware highlights the need for enhanced cybersecurity measures to protect against evolving threats from sophisticated threat actors.
