Cybersecurity researchers have revealed details of a new Linux malware called Showboat that has been used in campaigns targeting telecommunications providers in the Middle East since at least mid-2022.
“Showboat is a modular post-exploitation framework designed for Linux systems that can spawn remote shells, transfer files, and act as a SOCKS5 proxy,” Lumen Technologies Black Lotus Labs said in a report shared with The Hacker News.
The malware has been assessed to be used in at least one, and possibly more, threat activity clusters linked to China, with a correlation between command and control (C2) nodes and IP addresses located in Chengdu, the capital of China’s Sichuan province.
This puts Showboat alongside other shared frameworks such as PlugX, ShadowPad, and NosyDoor that are used by multiple China-related groups. This “pool of resources” strengthens the presence of digital quartermasters that Chinese state-sponsored attackers have relied on to provide the necessary tools.
The starting point for the investigation was an ELF binary uploaded to VirusTotal in May 2025, which the malware scanning platform classified as an advanced Linux backdoor with rootkit-like functionality. Kaspersky Lab tracks this artifact as EvaRAT.
The malware is designed to connect to a C2 server, collect system information, and send that information to the server as an encrypted, Base64-encoded string in a PNG field. It also has the ability to upload and download files to and from the host machine, hide its presence from the process list, and manage the C2 server.
Showboat obtains code snippets hosted in Pastebin to hide itself on the host machine. This paste was created on January 11, 2022. Additionally, the malware is able to scan other devices and connect to them via SOCKS5 proxies. This suggests that Showboat’s primary purpose is to establish a foothold on a compromised system.
“This allows an attacker to interact with a machine that is not exposed to the Internet and only accessible via the LAN,” Black Lotus Labs said.
Further infrastructure analysis revealed two victims: an Internet Service Provider (ISP) based in Afghanistan and another unknown organization located in Azerbaijan. A secondary C2 cluster using a similar X.509 certificate as the original C2 server resulted in two possible breaches in the United States and one in Ukraine.
“While some attackers are increasingly using stealthy native system tools to avoid detection, others are still deploying persistent malware implants,” said Danny Adamitis, a researcher at Black Lotus Labs. “The presence of such threats should be viewed as an early warning sign of the potential for broader and more serious security issues within the affected network.”
Source link
