Showboat Malware Targets Telecoms in China-Aligned Cyber Espionage Campaign

Severity: High (Score: 75.5)

Sources: www.pwc.com, Cybernews, censys.com, Darkreading, Bleepingcomputer

Published: 2026-05-21 · Updated: 2026-05-22

Keywords: showboat, chinese, linux, calypso, asia, windows, malware

Severity indicators: malware

Summary

A new Linux malware family named Showboat has been discovered, targeting telecommunications firms primarily in the Middle East and Central Asia since mid-2022. Researchers from Lumen's Black Lotus Labs and PwC identified Showboat as part of a campaign linked to the China-based threat actor Red Lamassu (Calypso). The malware operates as a post-exploitation framework, allowing attackers to maintain persistence, conduct file transfers, and act as a SOCKS5 proxy. It has been associated with multiple command-and-control nodes in Chengdu, China. The malware's stealthy nature is underscored by its ability to conceal its processes and retrieve code from external sources. Victims include telecommunications providers in Afghanistan, Kazakhstan, and potentially the U.S. and Ukraine. The campaign highlights the ongoing risk posed by state-aligned actors leveraging shared tools for espionage. Key Points: • Showboat malware targets telecom firms in the Middle East and Central Asia since mid-2022. • Linked to the China-based threat actor Red Lamassu, also known as Calypso. • Malware features include SOCKS5 proxy functionality and process concealment.

Detailed Analysis

**Impact** Telecommunications providers across the Asia Pacific and Middle East regions, including entities in Afghanistan, Kazakhstan, India, Azerbaijan, and potentially the U.S. and Ukraine, have been targeted since at least mid-2022. The campaign affects Linux-based systems primarily within telecom infrastructure, with additional Windows systems targeted via related malware. The operation enables long-term espionage, risking sensitive communications data and internal network integrity across multiple countries. **Technical Details** The campaign uses a modular Linux post-exploitation framework called Showboat (also known as kworker or EvaRAT) and a Windows backdoor named JFMBackdoor, deployed via DLL side-loading. Showboat collects host information, hides processes using code retrieved from external sites like Pastebin, and establishes SOCKS5 proxy tunnels for lateral movement. Command-and-control infrastructure is linked to IP addresses in Chengdu, China, and includes telecom-themed domains. Initial infection vectors remain unknown. The malware communicates encrypted data in PNG fields and supports file transfer, remote shell, and persistence via new services. Indicators include IP 23.27.201[.]160 and TLS certificate 27df475626aafce2ea1548a9f35efb9ad951298c8b11a6adb3ccdfcd5170c677. **Recommended Response** Monitor for network traffic involving SOCKS5 proxy connections and unusual process hiding behaviors, especially on Linux telecom infrastructure. Block and investigate connections to known C2 IPs such as 23.27.201[.]160 and domains impersonating telecom providers. Deploy detection rules for DLL side-loading techniques and batch script execution similar to the observed infection chain. Since the initial access vector is unknown, emphasize network segmentation and internal traffic monitoring to detect lateral movement. No specific CVEs or patches have been identified for immediate application.

Source articles (8)

• Chinese hackers target telcos with new Linux, Windows malware — Bleepingcomputer · 2026-05-21
  A Chinese cyber-espionage campaign has been targeting telecommunications providers with newly discovered Linux and Windows malware dubbed Showboat and JFMBackdoor, respectively. The operation has been…
• Using Cobalt Strike To Find More Cobalt Strike — censys.com · 2026-05-21
• Shadowpad A Masterpiece Of Privately Sold Malware In Chinese Espionage — www.sentinelone.com · 2026-05-21
• China-linked hackers deploy new "Showboat" malware against telecom firms — Cybernews · 2026-05-22
  A newly discovered malware family – dubbed “Showboat” – is targeting telecom providers worldwide in what researchers say is part of a stealth cyber espionage campaign likely linked to Chinese nation-s…
• New Linux malware 'Showboat' targets Middle East telecom provider | brief — Scworld · 2026-05-22
  As detailed in The Hacker News, a new Linux malware named Showboat has been identified by Lumen Technologies Black Lotus Labs, actively targeting a telecommunications provider in the Middle East since…
• Chinese APTs Share Linux Backdoor in Central Asia Telco Attacks — Darkreading · 2026-05-21
  Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific "Showboat" doesn't show off, but…
• PricewaterhouseCoopers’ (PwC) Threat Intelligence — www.pwc.com · 2026-05-22
  PwC Threat Intelligence has been tracking a China-based threat actor we call Red Lamassu (a.k.a. Calypso) since 2019, observing its operations targeting telecommunications and government entities acro…
• Introducing Showboat: A new malware family taunts defenses and targets international telecom firms — Lumen · 2026-05-21
  Black Lotus Labs®, the threat research team at Lumen, has uncovered a previously unreported Linux malware family called Showboat, used in a campaign targeting telecommunications organizations across m…

Timeline

• 2022-06-01 — Showboat malware first deployed: Showboat began targeting telecommunications providers, with operations linked to Red Lamassu.
• 2025-07-01 — Open directory discovered: PwC identified an open directory containing Showboat samples during their investigation of Red Lamassu.
• 2026-05-21 — Showboat publicly reported: Lumen and PwC released findings on Showboat, detailing its capabilities and targets.
• 2026-05-21 — PwC analysis of Red Lamassu: PwC published an analysis of Red Lamassu's operations, including the use of Showboat and JFMBackdoor.
• 2026-05-21 — Showboat's capabilities detailed: Researchers outlined Showboat's functions, including file transfer and process concealment.

Related entities

• Calypso (Apt Group)
• Red Lamassu (Apt Group)
• Malware (Attack Type)
• Afghanistan (Country)
• Azerbaijan (Country)
• China (Country)
• India (Country)
• Kazakhstan (Country)
• Turkey (Country)
• Ukraine (Country)
• United States (Country)
• Vietnam (Country)
• fltlib.dll.it (Domain)
• namefuture.site (Domain)
• newsprojects.online (Domain)
• telecom.webredirect.org (Domain)
• xcent.online (Domain)
• Telecommunications (Industry)
• 139.180.223.193 (Ipv4)
• 166.88.11.196 (Ipv4)
• 23.27.201.115 (Ipv4)
• 23.27.201.160 (Ipv4)
• 64.227.128.21 (Ipv4)
• BPFDoor (Malware)
• EvaRAT (Malware)
• JFMBackdoor (Malware)
• JMFBackdoor (Malware)
• Kworker (Malware)
• PlugX (Malware)
• ShadowPad (Malware)
• Showboat (Malware)
• NosyDoor (Malware)
• Poisonivy (Malware)
• T1041 - Exfiltration Over C2 Channel (Mitre Attack)
• T1057 - Process Discovery (Mitre Attack)
• T1059.001 - PowerShell (Mitre Attack)
• T1059.003 - Windows Command Shell (Mitre Attack)
• T1071 - Application Layer Protocol (Mitre Attack)
• T1082 - System Information Discovery (Mitre Attack)
• T1090 - Proxy (Mitre Attack)
• T1105 - Ingress Tool Transfer (Mitre Attack)
• T1113 - Screen Capture (Mitre Attack)
• T1543.003 - Windows Service (Mitre Attack)
• T1564.001 - Hidden Files And Directories (Mitre Attack)
• T1574 - Hijack Execution Flow (Mitre Attack)
• Linux (Platform)
• Windows (Platform)
• 176aec5d33c459a42e7e4e984a718c52e11213ef9a6aa961b483a836fc22b507 (Sha256)
• 2229e7f3cabbce4d67cd79c89fd5a100b20e8a99f4a2bf9aac77a978f49eb520 (Sha256)
• 27df475626aafce2ea1548a9f35efb9ad951298c8b11a6adb3ccdfcd5170c677 (Sha256)
• 8b0e14e0684e00aee9cbf4fd22b2a5da08443f9a0f9ace4972803e29050bcc69 (Sha256)
• a05fbe8734a5a5a994a44dee9d21134ad7108d24ab0749499fe24fc4b36c4cbc (Sha256)
• b118f74dc2b974678a50349d04686f6b2df4b287a69e40c4513cd603c7271793 (Sha256)
• E28a96f983b8605decd2ac1db16ebad5fa741a6aa4e585a38ade0e5ad7d6cec0 (Sha256)
• PowerShell (Tool)