Showboat Linux Backdoor Targets Middle East Telecom
Researchers report Showboat, a modular Linux backdoor, has operated against a Middle East telecom since mid-2022, installing a SOCKS5 proxy and persistent remote-access tools.
Showboat, a modular Linux backdoor, has been active against a telecommunications provider in the Middle East since at least mid-2022, security researchers report. The malware can spawn a remote shell, transfer files and run a SOCKS5 proxy to reach machines on internal networks.
Lumen Technologies’ Black Lotus Labs identified the toolset after analysts examined an ELF binary uploaded to VirusTotal in May 2025. The sample is tracked by another vendor under the name EvaRAT. Black Lotus Labs describes Showboat as a post-exploitation framework that gathers system information, moves files and routes traffic through SOCKS5.
The implant contacts command-and-control servers and places encrypted, Base64-encoded telemetry into a PNG field for exfiltration. The malware can upload and download files, hide its process from system listings, manage C2 infrastructure and pull a code snippet from Pastebin dated January 11, 2022, to help conceal itself. The SOCKS5 capability lets operators access hosts that are reachable only over local networks.
Infrastructure analysis by the researchers found correlations between C2 nodes and IP addresses geolocated to Chengdu, Sichuan province. They noted similarities between Showboat and shared tool frameworks previously used by multiple China‑aligned groups, and compared the program-sharing pattern to earlier frameworks such as PlugX, ShadowPad and NosyDoor.
Investigators identified multiple confirmed and possible victims. In addition to the Middle East telecommunications provider, Black Lotus Labs found compromises at an Afghanistan-based internet service provider and an unknown entity in Azerbaijan. A secondary C2 cluster that reused similar X.509 certificates was linked to two possible compromises in U.S. networks and one in Ukraine.
Researchers advise monitoring Linux servers and telecom infrastructure for unusual outbound connections, unexpected SOCKS5 activity, anomalous process hiding and unexplained file transfers that could indicate the presence of this backdoor. Black Lotus Labs researcher Danny Adamitis noted, “While some threat actors are increasingly using stealthy, native system tools to evade detection, others still deploy persistent malware implants. The presence of such threats should be taken as an early warning sign, indicating the potential for broader and more serious security issues within affected networks.”
Articles by this author
