Cybersecurity researchers have uncovered a sophisticated Linux malware dubbed **Showboat**, actively deployed in a campaign targeting a telecommunications provider in the Middle East since at least mid-2022.  ### Showboat: A Modular Post-Exploitation Framework "Showboat is a modular post-exploitation framework designed for Linux systems, capable of spawning a remote shell, transferring files, and functioning as a SOCKS5 proxy," **Lumen Technologies Black Lotus Labs** stated in their report. The malware is believed to be used by one or more threat groups associated with China. Command-and-control (C2) nodes have been linked to IP addresses located in Chengdu, Sichuan, China. ### Calypso's Involvement One such threat actor is **Calypso** (aka Bronze Medley and Red Lamassu), known for targeting state institutions across various countries since at least 2016. **Calypso's** toolkit includes PlugX and backdoors like WhiteBird and BYEBY, the latter being associated with Mikroceen and the group SixLittleMonkeys, which shares overlaps with **Webworm**. This positions **Showboat** alongside other shared frameworks like PlugX, ShadowPad, and NosyDoor, used by multiple China-linked groups. This resource pooling suggests a "digital quartermaster" supporting state-sponsored Chinese threat actors. ### Technical Analysis and EvaRAT The investigation began with an ELF binary uploaded to VirusTotal in May 2025, identified as a sophisticated Linux backdoor with rootkit capabilities. **Kaspersky** is tracking this artifact as EvaRAT.  **Black Lotus Labs** security researcher Danny Adamitis noted that the initial access vector remains unknown. However, **Calypso** has previously used ASPX web shells after exploiting vulnerabilities or compromising default accounts for remote access. Notably, the group was also among the first to weaponize **CVE-2021-26855**, a **Microsoft Exchange Server** vulnerability used in the ProxyLogon exploit chain. ### Showboat's Capabilities The malware is designed to communicate with a C2 server, collect system information, and transmit it back in a PNG field as an encrypted, Base64-encoded string. It can also upload/download files, hide from process lists, and manage C2 servers. To conceal itself, **Showboat** retrieves code from Pastebin (created January 11, 2022). It can scan for and connect to other devices via a SOCKS5 proxy, indicating its purpose is to establish a foothold on compromised systems. ### Victims and Infrastructure Infrastructure analysis revealed two victims: an Afghanistan-based ISP and an unknown entity in Azerbaijan. A secondary C2 cluster, using similar X.509 certificates, suggests compromises in the U.S. and Ukraine. "While some threat actors are increasingly using stealthy, native system tools to evade detection, others still deploy persistent malware implants," Adamitis stated. "The presence of such threats should be taken as an early warning sign, indicating the potential for broader and more serious security issues within affected networks." ### JFMBackdoor and Broader Objectives **Calypso** also used JFMBackdoor, a fully featured Windows implant delivered via DLL side-loading, in the campaign targeting the Afghan telecommunications provider. The attack chain involves a batch script launching a legitimate executable that loads the malicious DLL. JFMBackdoor offers remote shell access, file operations, network proxying, screenshot capture, and self-removal capabilities. **PricewaterhouseCoopers (PwC)** noted in a coordinated report, "The targeting of Afghanistan and its telecommunications sector aligns with what we assess to almost certainly be Red Lamassu's wider operational goals and objectives."