Cybersecurity experts have revealed a new threat in the form of a Linux-based malware named Showboat, which has been targeting a telecommunications company in the Middle East since mid-2022. This malware is particularly concerning due to its advanced capabilities and potential connections to Chinese cyber espionage groups.
Modular Framework and Capabilities
Showboat is identified as a sophisticated post-exploitation framework. Designed specifically for Linux systems, it is capable of initiating a remote shell, transferring files, and acting as a SOCKS5 proxy. According to Lumen Technologies Black Lotus Labs, the malware’s modular nature makes it a powerful tool for attackers.
The malware has been associated with several threat clusters possibly linked to China. These clusters have been identified through connections between command-and-control (C2) nodes and IP addresses traced back to Chengdu, China. This pattern aligns Showboat with other well-known frameworks like PlugX and ShadowPad, commonly used by Chinese state-sponsored actors.
Investigation and Technical Analysis
The investigation into Showboat began with an ELF binary uploaded to VirusTotal in May 2025. The platform classified it as a sophisticated Linux backdoor with rootkit-like features. Kaspersky has labeled this variant as EvaRAT, highlighting its advanced nature.
The malware communicates with a C2 server, collecting system information and sending it back in an encrypted format. It can also transfer files, conceal its processes, and manage connections to other devices through its SOCKS5 proxy capability. This functionality suggests that Showboat’s main objective is to establish a persistent presence on compromised systems.
Broader Implications and Security Concerns
Further investigation identified additional victims, including an ISP in Afghanistan and another unknown entity in Azerbaijan. A secondary C2 cluster, utilizing similar certificates, indicated possible compromises in the U.S. and Ukraine, pointing to a broader reach of the attack.
While some attackers favor native system tools for stealth, others, like those using Showboat, employ persistent malware implants. Black Lotus Labs researcher Danny Adamitis emphasized that such threats should be viewed as early warnings of potential larger security issues in affected networks.
The discovery of Showboat underscores the ongoing challenges of cybersecurity in the telecommunications sector, particularly regarding nation-state-backed threats. Organizations must remain vigilant and implement robust security measures to protect against such sophisticated attacks.
