Chinese state-aligned Showboat espionage campaign targeting telecoms in Central Asia
Campaign
Summary
Hide ▲
Show ▼
A multi-year Chinese state-aligned espionage campaign is using Showboat to target telecommunications companies in Central Asia and beyond, increasing the risk of covert intelligence collection across the sector. The same Linux framework has been observed across multiple clusters and dissimilar targets, suggesting a reusable operation rather than a single intrusion. One related cluster has been linked to Calypso.
Related Happenings
Showboat Linux post-exploitation backdoor framework
Malware Activity
First: 21.05.2026 17:17
Last: 21.05.2026 17:17
Sources 1
About this happening:
The **Showboat** Linux malware has been identified as a **modular post-exploitation framework** used since **at least mid-2022**, raising the risk of persistent access on compromi...
Showboat Linux post-exploitation backdoor framework
Malware ActivityAbout this happening: The **Showboat** Linux malware has been identified as a **modular post-exploitation framework** used since **at least mid-2022**, raising the risk of persistent access on compromi...
Showboat / kworker Linux post-exploitation malware activity
Malware Activity
First: 21.05.2026 17:00
Last: 21.05.2026 17:00
Sources 1
How related:
The malware is called "Showboat," or "kworker." Black Lotus Labs observed different clusters of Showboat activity against totally dissimilar targets
About this happening:
Researchers tied **Showboat** / **kworker** to a stealthy **Linux post-exploitation framework** being reused across multiple Chinese threat clusters, raising concern that a shared...
Showboat / kworker Linux post-exploitation malware activity
Malware ActivityHow related: The malware is called "Showboat," or "kworker." Black Lotus Labs observed different clusters of Showboat activity against totally dissimilar targets
About this happening: Researchers tied **Showboat** / **kworker** to a stealthy **Linux post-exploitation framework** being reused across multiple Chinese threat clusters, raising concern that a shared...
Calypso telecommunications espionage campaign using Showboat and JFMBackdoor
Campaign
First: 21.05.2026 17:00
Last: 21.05.2026 17:00
Sources 1
About this happening:
A **Calypso / Red Lamassu** espionage campaign is targeting **telecommunications providers** with new **Showboat** and **JFMBackdoor** malware, increasing the risk of long-term co...
Calypso telecommunications espionage campaign using Showboat and JFMBackdoor
CampaignAbout this happening: A **Calypso / Red Lamassu** espionage campaign is targeting **telecommunications providers** with new **Showboat** and **JFMBackdoor** malware, increasing the risk of long-term co...
Timeline
-
21.05.2026 17:00 2 articles · 6d ago
Showboat espionage campaign targeting telecoms in Central Asia and beyond
Campaign Scope UpdateChinese state-aligned hackers have been using the Showboat (kworker) Linux post-exploitation framework to spy on telecommunications and ISP targets in Central Asia and beyond, including an ISP in Afghanistan and an IP in Donbas. Black Lotus Labs observed multiple clusters of Showboat activity across dissimilar targets, while PwC linked at least one cluster to Calypso, which also uses Showboat alongside the Windows backdoor JFMBackdoor. Researchers assessed that Showboat has been around since at least mid-2022 and had zero VirusTotal detections when examined.
Show sources
- Chinese APTs Share Linux Backdoor in Central Asia Telco Attacks — www.darkreading.com — 21.05.2026 17:00
- Chinese APTs Share Linux Backdoor in Central Asia Telco Attacks — www.darkreading.com — 21.05.2026 17:00