Chinese APTs Share Linux Backdoor in Central Asia Telco Attacks
Dark ReadingArchived May 21, 2026✓ Full text saved
"Showboat" doesn't show off, but clearly it doesn't need to, as it's long helped China spy on small market communications providers.
Full text archived locally
✦ AI Summary· Claude Sonnet
THREAT INTELLIGENCE
CYBERATTACKS & DATA BREACHES
CYBER RISK
ENDPOINT SECURITY
NEWS
Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific
Chinese APTs Share Linux Backdoor in Central Asia Telco Attacks
"Showboat" doesn't show off, but clearly it doesn't need to, as it's long helped China spy on small market communications providers.
Nate Nelson,Contributing Writer
May 21, 2026
4 Min Read
SOURCE: MARK SUMMERFIELD VIA ALAMY STOCK PHOTO
For years now, Chinese state-aligned hackers have been spying on telecommunications companies in Central Asia and beyond, using a newly discovered Linux post-exploitation framework.
The malware is called "Showboat," or "kworker." Black Lotus Labs observed different clusters of Showboat activity against totally dissimilar targets — from an Internet service provider (ISP) in Afghanistan to an unknown IP in the disputed Donbas region of eastern Ukraine — suggesting that Chinese advanced persistent threats (APTs) are trading it around.
At least one of those APTs is Calypso, according to PricewaterhouseCoopers (PwC). First observed in 2019, Calypso is one of China's lesser-discussed espionage groups, perhaps because its activity occurs in countries where Western cybersecurity companies have less visibility on average: Afghanistan, Kazakhstan, Turkey, and India, for example. Calypso uses Showboat alongside a Windows backdoor of roughly similar sophistication, called "JFMBackdoor."
Related:Tropic Trooper APT Takes Aim at Home Routers, Japanese Targets
The Showboat Exploitation Framework
Showboat is a useful but unexceptional spy tool, which makes it all the more surprising that Chinese threat groups have used it in total secrecy, gathering what might amount to serious geopolitical intelligence for four years running.
Its most significant trick, arguably, is its ability to scan for and then infect devices on a local area network (LAN) that aren't otherwise connected to the public Internet. "So if you do happen to find this in your network, there's probably a whole lot of other bad stuff in the network, and you're about to have a very long weekend," says Danny Adamitis, principal information security engineer at Black Lotus Labs.
Though perfectly capable, Showboat hardly goes toe-to-toe with China's top-of-the-line telco malware. BPFdoor, for example, is an expert in living-off-the-land, almost imperceptibly concealing its command-and-control (C2) traffic in HTTPS requests and Internet Control Message Protocol (ICMP) pings. In Adamitis' assessment, Showboat "is not the best backdoor I've ever seen. To me this feels like almost a newer version of a ShadowPad where it's just [notable for] kind of cool capabilities."
Yet Showboat's banality could be as much a design feature as a flaw. After all, why invest in a highly complex, bespoke tool when something simple and easy gets the job done? Evidence suggests that the malware has been around since at least mid-2022, but by the time the researchers got to it this year, it registered a grand total of zero detections on VirusTotal (VT): as little as any ultra-stealthy, bespoke, native spy multitool that even the best Typhoon has access to.
Related:Africa Relinquishes Cyberattack Lead to Latin America — For Now
"You don't necessarily always have to write your backdoors exclusively in assembly and do a weird matching packet thing over ICMP," Adamitis says. "It appears as though they're still having a moderate degree of success with something that, in my mind, is a little bit more run of the mill."
Where Showboat isn't the right tool, the threat actors that use it can dip into a pool of malware shared broadly among Chinese threat actors. "Red Lamassu (a.k.a. Calypso) has historically used PlugX, a malware family widely shared and reused across multiple China-based threat actors," notes PwC threat intelligence analyst Daniel van Apeldoorn. These days, he adds, "it can tailor its toolset, deploying a Linux backdoor in Linux-heavy environments (such as telecommunications infrastructure, which often runs on Unix-based systems) and a Windows backdoor when targeting corporate or enterprise environments where Windows is dominant."
China's Malware Experiments
Black Lotus Labs researcher Ryan English expands on Adamitis' point. "What China likes to do is they'll designate certain parts of the world as kind of a laboratory. They'll test [malware] against perfectly updated virtual systems, then they'll bring it out into the real world in a small market test. Does this work against that bank in Africa? Does this work against that telco in Vietnam? And if it does, they're feeling more confident to bring it out to more serious targets."
Related:Russia's Forest Blizzard Nabs Rafts of Logins via SOHO Routers
At least some of the data seems to support the interpretation that Showboat was conceived of as a small market solution.
Black Lotus Labs tracked multiple, apparently separate Chinese threat clusters passing it around, without committing to it for long, high-value campaigns against any targets of supreme value. For example, one threat cluster seemed to use Showboat rather randomly, connecting at different times to IP addresses in the US and in the Donbas region. Another deployed it against organizations in countries with less mature cybersecurity on average: an ISP from Afghanistan, and other unnamed victims in Azerbaijan and the Middle East. Meanwhile, the Calypso activity tracked by PwC targeted a telecommunications provider in Afghanistan.
English speculates that Showboat might have found success in these smaller markets. "Somebody said: Perfect is the enemy of good enough. And they let it run. I think that they were probably being economical with that."
Read more about:
DR Global Asia Pacific
About the Author
Nate Nelson
Contributing Writer
Nate Nelson is a journalist and award-winning scriptwriter. In addition to Dark Reading he writes for Darknet Diaries, the most popular show in cybersecurity across all media.
He began his career as a freelancer, ghostwriting Forbes and CNBC op-eds for executives in tech and finance. Then he transitioned to journalism at Threatpost, where he covered cybersecurity news and trends. Throughout those years he co-created a cybersecurity podcast, Malicious Life, which in its day climbed into the Top 20 technology podcasts charts on Apple Podcasts and Spotify.
He holds degrees from New York University and Bard College. As a born and bred New Yorker, he enjoys a superiority complex, but is polite enough to keep it to himself.
Want more Dark Reading stories in your Google search results?
ADD US NOW
More Insights
Industry Reports
How Organizations Are Managing Incident Response
How Enterprises Are Developing Secure Applications
Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy
How Enterprises Are Harnessing Emerging Technologies in Cybersecurity
Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management
Access More Research
Webinars
Building SecOps That Make the Most of Every Dollar
AI-Powered Credential Security: Intelligence Without Exposure
AI-Powered Cybersecurity for Resource-Constrained Organizations
How Security Teams should apply Threat Intelligence into their Defenses
Your Guide to Securing AI Adoption in Your Organization
More Webinars
You May Also Like
THREAT INTELLIGENCE
Hackers Target Cybersecurity Firm Outpost24 in 7-Stage Phish
by Jai Vijayan
MAR 17, 2026
THREAT INTELLIGENCE
Iran's Cyber-Kinetic War Doctrine Takes Shape
by Alexander Culafi
MAR 06, 2026
THREAT INTELLIGENCE
React2Shell Exploits Flood the Internet as Attacks Continue
by Rob Wright
DEC 12, 2025
THREAT INTELLIGENCE
Chinese Gov't Fronts Trick the West to Obtain Cyber Tech
by Nate Nelson, Contributing Writer
OCT 06, 2025
Editor's Choice
THREAT INTELLIGENCE
From Stuxnet to ChatGPT: 20 News Events That Shaped Cyber
byDark Reading Editorial Team
MAY 6, 2026
31 MIN READ
CYBER RISK
Physical Cargo Theft Gets a Boost From Cybercriminals
byRobert Lemos
MAY 4, 2026
5 MIN READ
CYBER RISK
NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later
byDark Reading Editorial Team
APR 28, 2026
Want more Dark Reading stories in your Google search results?
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
SUBSCRIBE
RSAC 2026: key news & insights
At RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much more
Get Your Recap
Webinars
Building SecOps That Make the Most of Every Dollar
THURS, JULY 9, 2026 AT 1PM EST
AI-Powered Credential Security: Intelligence Without Exposure
WED, JUNE 17, 2026, AT 1PM EST
AI-Powered Cybersecurity for Resource-Constrained Organizations
THURS, JUNE 18, 2026, AT 1PM EST
How Security Teams should apply Threat Intelligence into their Defenses
THURS, JUNE 11, 2026 AT 1PM EST
Your Guide to Securing AI Adoption in Your Organization
TUES, JUNE 9, 2026 AT 1PM EST
More Webinars
BLACK HAT USA | MANDALAY BAY, LAS VEGAS
The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.
GET YOUR PASS