Showboat Linux Malware Targets Middle East Telecom with SOCKS5 Backdoor

Cybersecurity researchers from Lumen Technologies Black Lotus Labs have uncovered a sophisticated Linux malware campaign targeting a telecommunications provider in the Middle East since at least mid-2022. The malware, dubbed Showboat, is a modular post-exploitation framework capable of spawning remote shells, transferring files, and functioning as a SOCKS5 proxy backdoor. Security analysts assess that the campaign has been attributed to at least one China-affiliated threat cluster, with command-and-control infrastructure traced to IP addresses in Chengdu, Sichuan Province. One identified actor, Calypso (also known as Bronze Medley and Red Lamassu), has been active since September 2016, targeting government institutions across Brazil, India, Kazakhstan, Russia, Thailand, and Turkey.

The investigation began when an ELF binary was uploaded to VirusTotal in May 2025, classified as a sophisticated Linux backdoor with rootkit-like capabilities—Kaspersky tracks this artifact as EvaRAT. While the precise initial access vector remains unknown, Calypso has historically exploited CVE-2021-26855, the Microsoft Exchange Server vulnerability chained in the ProxyLogon exploit, and deployed ASPX web shells after compromising default remote access accounts. Organizations concerned about exposure can verify their email addresses using an email breach checker to determine if credentials have been compromised in similar campaigns.

Showboat communicates with its C2 server to gather system information, transmitting data encoded as Base64 strings within PNG fields. The malware supports file upload and download capabilities, can conceal itself from process lists, and retrieves code snippets from Pastebin to mask its presence on compromised systems. This campaign exemplifies the "resource pooling" strategy observed among China-nexus groups, who share tooling including PlugX, ShadowPad, and NosyDoor through what researchers describe as a "digital quartermaster." Security teams can use a DNS leak test to identify potential exfiltration channels, and conduct a port scanner to detect unauthorized listening services that may indicate compromise.