Showboat Malware
Cybersecurity researchers have uncovered a previously undocumented Linux malware framework known as Showboat, which has been actively deployed against a telecommunications provider in the Middle East since at least mid-2022. The malware operates as a modular post-exploitation toolkit capable of enabling remote shell access, transferring files, and functioning as a SOCKS5 proxy within compromised environments.
Security analysts believe the malware is linked to one or more China-associated threat clusters. Investigators identified connections between the malware's Command-and-Control (C2) infrastructure and IP addresses traced to Chengdu, the capital of China's Sichuan province, strengthening suspicions of Chinese state-sponsored involvement.
Table of Contents
Connections to Established China-Linked Threat Operations
One of the groups associated with the activity is Calypso, also known as Bronze Medley and Red Lamassu. The threat actor has been active since at least September 2016 and has historically targeted government and institutional entities across Brazil, India, Kazakhstan, Russia, Thailand, and Turkey. Public reporting on the group first surfaced in 2019 through research published by Positive Technologies.
Calypso has previously relied on malware families such as PlugX, along with backdoors including WhiteBird and BYEBY. The BYEBY malware belongs to a larger operational cluster referred to as Mikroceen, which has also been linked to the SixLittleMonkeys threat cluster. Researchers further noted tactical similarities between SixLittleMonkeys and another China-aligned operation known as Webworm.
The appearance of Showboat alongside shared frameworks such as PlugX, ShadowPad, and NosyDoor highlights a broader trend among China-nexus threat actors: the reuse and distribution of offensive cyber tools across multiple espionage groups. This pattern strongly suggests the existence of a centralized 'digital quartermaster' responsible for supplying malware and operational resources to state-backed operators.
Advanced Linux Backdoor Capabilities Raise Serious Concerns
The investigation began after researchers analyzed an ELF binary uploaded in May 2025 that was initially categorized as a highly advanced Linux backdoor with rootkit-like functionality. The malware sample is also tracked under the name EvaRAT.
Although the precise infection vector remains unknown, previous Calypso intrusions have involved the deployment of ASPX web shells after exploiting vulnerabilities or compromising default remote-access accounts. The group was also among the earliest Chinese threat actors to weaponize CVE-2021-26855, the Microsoft Exchange Server flaw that formed the initial stage of the notorious ProxyLogon exploit chain.
Showboat is engineered to establish communication with remote C2 servers, collect detailed system information, and transmit the harvested data in encrypted and Base64-encoded form hidden within PNG fields. The malware also supports a range of stealth and operational features, including:
- File upload and download functionality
- Process concealment techniques
- C2 server management
- Internal network scanning
- SOCKS5 proxy tunneling for lateral movement
To evade detection on compromised hosts, Showboat retrieves a code snippet from Pastebin, with researchers tracing the hosted content back to January 11, 2022. Analysts believe the malware’s primary objective is to secure persistent access inside targeted networks, particularly systems isolated from direct internet exposure and reachable only through internal LAN connections.
Expanding Infrastructure Reveals International Victims
Further examination of the threat infrastructure uncovered multiple victim organizations spanning several regions. Researchers identified an Afghanistan-based internet service provider and an additional unidentified organization located in Azerbaijan. A secondary cluster of C2 servers sharing similar X.509 certificates also pointed to possible compromises affecting entities in the United States and Ukraine.
The continued deployment of persistent malware implants demonstrates that, despite the growing use of stealthier 'living off the land' techniques by many threat actors, advanced groups still rely heavily on custom backdoors for long-term access and operational control. Security experts warn that the discovery of malware such as Showboat should be treated as a critical indicator of potentially wider compromise within affected networks.
JFMBackdoor Expands the Campaign Beyond Linux Systems
In addition to Showboat, researchers observed Calypso deploying a fully featured Windows malware implant known as JFMBackdoor during attacks targeting Afghanistan’s telecommunications sector. The malware is delivered through DLL side-loading, a technique that abuses legitimate applications to load malicious dynamic-link libraries.
The infection chain begins with a batch script that launches a trusted executable, which subsequently loads the rogue DLL payload. Once active, JFMBackdoor provides attackers with extensive operational control over compromised systems. Its functionality includes:
- Remote shell execution
- File management operations
- Network proxy capabilities
- Screenshot capture
- Self-removal mechanisms
The focus on Afghanistan and its telecommunications infrastructure aligns closely with the broader strategic objectives previously associated with Red Lamassu operations, reinforcing assessments that the campaign forms part of a larger cyber-espionage effort tied to Chinese threat activity.
