Researchers uncovered Showboat, a modular Linux post-exploitation framework used since at least mid-2022 in attacks against a telecommunications provider in the Middle East and related victims in Afghanistan, Azerbaijan, the U.S., and Ukraine. The activity is linked to China-aligned clusters such as Calypso, alongside shared tooling and infrastructure that suggest a broader resource-pooling ecosystem. #Showboat #Calypso #RedLamassu #Mikroceen #PlugX #ShadowPad #NosyDoor #JFMBackdoor
Keypoints
- Showboat is a modular Linux framework with remote shell, file transfer, and SOCKS5 proxy features.
- The malware has been linked to China-affiliated threat activity clusters, including Calypso.
- Researchers connected Showboat to infrastructure and victims in multiple countries, including Afghanistan and Azerbaijan.
- Showboat hides its presence by using a Pastebin-hosted code snippet and encrypted C2 communication.
- Calypso also deployed the Windows implant JFMBackdoor using DLL side-loading in the same campaign.
Read More: https://thehackernews.com/2026/05/showboat-linux-malware-hits-middle-east.html