CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 21, 2026

Showboat Linux Malware Hits Middle East Telecom with SOCKS5 Proxy Backdoor

The Hacker News Archived May 21, 2026 ✓ Full text saved

Cybersecurity researchers have disclosed details of a new Linux malware dubbed Showboat that has been put to use in a campaign targeting a telecommunications provider in the Middle East since at least mid-2022. "Showboat is a modular post-exploitation framework designed for Linux systems, capable of spawning a remote shell, transferring files, and functioning as a SOCKS5 proxy," Lumen

Full text archived locally
✦ AI Summary · Claude Sonnet


    Showboat Linux Malware Hits Middle East Telecom with SOCKS5 Proxy Backdoor Ravie LakshmananMay 21, 2026Cyber Espionage / Threat Intelligence Cybersecurity researchers have disclosed details of a new Linux malware dubbed Showboat that has been put to use in a campaign targeting a telecommunications provider in the Middle East since at least mid-2022. "Showboat is a modular post-exploitation framework designed for Linux systems, capable of spawning a remote shell, transferring files, and functioning as a SOCKS5 proxy," Lumen Technologies Black Lotus Labs said in a report shared with The Hacker News. It's assessed that the malware has been employed by at least one, and possibly more, threat activity clusters affiliated with China, with correlations identified between command-and-control (C2) nodes and IP addresses geolocated to Chengdu, the capital city of the Chinese province of Sichuan. This puts Showboat along with other shared frameworks like PlugX, ShadowPad, and NosyDoor that have been used by multiple China-nexus groups. This "resource pooling" reinforces the presence of a digital quartermaster that state-sponsored threat actors from China have relied on to supply them with necessary tooling. The starting point of the investigation was an ELF binary that was uploaded to VirusTotal in May 2025, with the malware scanning platform classifying it as a sophisticated Linux backdoor with rootkit-like capabilities. Kaspersky is tracking the artifact as EvaRAT. The malware is designed to contact a C2 server, gather system information, and transmit the information back to the server in a PNG field as an encrypted and Base64-encoded string. It's also equipped to upload and download files to and from the host machine, conceal its presence from the process list, and manage C2 servers. To hide itself on the host machine, Showboat retrieves a code snippet hosted on Pastebin. The paste was created on January 11, 2022. Furthermore, the malware can scan for other devices and connect to them via the SOCKS5 proxy. This suggests that the primary purpose of Showboat is to establish a foothold on compromised systems. "This would allow the attackers to interact with machines that are not exposed publicly to the internet and only accessible via the LAN," Black Lotus Labs said. Further infrastructure analysis has uncovered two victims: an Afghanistan-based internet service provider (ISP) and another unknown entity located in Azerbaijan. A secondary C2 cluster using similar X.509 certificates as the original C2 server has uncovered two possible compromises in the U.S. and one in Ukraine. "While some threat actors are increasingly using stealthy, native system tools to evade detection, others still deploy persistent malware implants," Black Lotus Labs researcher Danny Adamitis said. "The presence of such threats should be taken as an early warning sign, indicating the potential for broader and more serious security issues within affected networks." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  china, cyber espionage, cybersecurity, linux, Malware, rootkit, Threat Intelligence ⚡ Top Stories This Week New Fragnesia Linux Kernel LPE Grants Root Access via Page Cache Corruption Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor [Webinar] How Modern Attack Paths Cross Code, Pipelines, and Cloud Microsoft Patches 138 Vulnerabilities, Including DNS and Netlogon RCE Flaws ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI and More Packages New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution 18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE Microsoft's MDASH AI System Finds 16 Windows Flaws Fixed in Patch Tuesday Four OpenClaw Flaws Enable Data Theft, Privilege Escalation, and Persistence Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin Access ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ Stories Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email Load More ▼ ⭐ Featured Resources [Guide] Stop Email Fraud Before It Turns Into Ransomware Damage Identify Internal Attack Surfaces More Efficiently With a Free Assessment [Webinar] Learn How to Handle Critical SOC Alerts With AI Support [eBook] Get the 3-Number SOC Diagnostic to Reduce Queue Risk
    💬 Team Notes
    Article Info
    Source
    The Hacker News
    Category
    ◇ Industry News & Leadership
    Published
    May 21, 2026
    Archived
    May 21, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗