Showboat Malware Targets Telecoms in China-Aligned Cyber Espionage Campaign

Showboat Malware Targets Telecoms in China-Aligned Cyber Espionage Campaign

First seen 21 May 2026, 14:45 UTC DarkreadingBleepingcomputerLumenScworldCybernews+4 85% similarity 75.5

Article Content

Browse articles
ThreatCluster

A new Linux malware family named Showboat has been discovered, targeting telecommunications firms primarily in the Middle East and Central Asia since mid-2022. Researchers from Lumen's Black Lotus Labs and PwC identified Showboat as part of a campaign linked to the China-based threat actor Red Lamassu (Calypso). The malware operates as a post-exploitation framework, allowing attackers to maintain persistence, conduct file transfers, and act as a SOCKS5 proxy. It has been associated with multiple command-and-control nodes in Chengdu, China. The malware's stealthy nature is underscored by its ability to conceal its processes and retrieve code from external sources. Victims include telecommunications providers in Afghanistan, Kazakhstan, and potentially the U.S. and Ukraine. The campaign highlights the ongoing risk posed by state-aligned actors leveraging shared tools for espionage.

Key Points: • Showboat malware targets telecom firms in the Middle East and Central Asia since mid-2022. • Linked to the China-based threat actor Red Lamassu, also known as Calypso. • Malware features include SOCKS5 proxy functionality and process concealment.

ThreatCluster AI

Timeline

2022-06-01
Showboat malware first deployed
Showboat began targeting telecommunications providers, with operations linked to Red Lamassu.
Lumen
2025-07-01
Open directory discovered
PwC identified an open directory containing Showboat samples during their investigation of Red Lamassu.
PwC
2026-05-21
Showboat publicly reported
Lumen and PwC released findings on Showboat, detailing its capabilities and targets.
Lumen
2026-05-21
PwC analysis of Red Lamassu
PwC published an analysis of Red Lamassu's operations, including the use of Showboat and JFMBackdoor.
PwC
2026-05-21
Showboat's capabilities detailed
Researchers outlined Showboat's functions, including file transfer and process concealment.
BleepingComputer

Community

Browse all →