Showboat / kworker Linux post-exploitation malware activity
Malware Activity
Summary
Hide ▲
Show ▼
Researchers tied Showboat / kworker to a stealthy Linux post-exploitation framework being reused across multiple Chinese threat clusters, raising concern that a shared toolset is supporting long-running espionage. The malware has been seen against dissimilar targets including an ISP in Afghanistan and an IP in Donbas, with additional activity across Azerbaijan, the Middle East, and other regions. One cluster linked to Calypso also paired it with JFMBackdoor, and Showboat can scan and infect LAN devices that are not otherwise on the public Internet. The malware has been present since at least mid-2022 and showed zero VirusTotal detections when reviewed, underscoring its stealth.
Related Happenings
Showboat Linux post-exploitation backdoor framework
Malware Activity
First: 21.05.2026 17:17
Last: 21.05.2026 17:17
Sources 1
About this happening:
The **Showboat** Linux malware has been identified as a **modular post-exploitation framework** used since **at least mid-2022**, raising the risk of persistent access on compromi...
Showboat Linux post-exploitation backdoor framework
Malware ActivityAbout this happening: The **Showboat** Linux malware has been identified as a **modular post-exploitation framework** used since **at least mid-2022**, raising the risk of persistent access on compromi...
Chinese state-aligned Showboat espionage campaign targeting telecoms in Central Asia
Campaign
First: 21.05.2026 17:00
Last: 21.05.2026 17:00
Sources 1
How related:
For years now, Chinese state-aligned hackers have been spying on telecommunications companies in Central Asia and beyond, using a newly discovered Linux post-exploitation framework.
About this happening:
A **multi-year Chinese state-aligned espionage campaign** is using **Showboat** to target **telecommunications companies in Central Asia and beyond**, increasing the risk of cover...
Chinese state-aligned Showboat espionage campaign targeting telecoms in Central Asia
CampaignHow related: For years now, Chinese state-aligned hackers have been spying on telecommunications companies in Central Asia and beyond, using a newly discovered Linux post-exploitation framework.
About this happening: A **multi-year Chinese state-aligned espionage campaign** is using **Showboat** to target **telecommunications companies in Central Asia and beyond**, increasing the risk of cover...
Calypso telecommunications espionage campaign using Showboat and JFMBackdoor
Campaign
First: 21.05.2026 17:00
Last: 21.05.2026 17:00
Sources 1
About this happening:
A **Calypso / Red Lamassu** espionage campaign is targeting **telecommunications providers** with new **Showboat** and **JFMBackdoor** malware, increasing the risk of long-term co...
Calypso telecommunications espionage campaign using Showboat and JFMBackdoor
CampaignAbout this happening: A **Calypso / Red Lamassu** espionage campaign is targeting **telecommunications providers** with new **Showboat** and **JFMBackdoor** malware, increasing the risk of long-term co...
KadNap Asus router proxy botnet
Malware Activity
First: 10.03.2026 18:00
Last: 10.03.2026 18:00
Sources 1
About this happening:
**KadNap** is a **proxy botnet** that compromises **Asus routers** and other edge devices, creating a stealth channel for malicious traffic from **over 14,000 infected devices**....
KadNap Asus router proxy botnet
Malware ActivityAbout this happening: **KadNap** is a **proxy botnet** that compromises **Asus routers** and other edge devices, creating a stealth channel for malicious traffic from **over 14,000 infected devices**....
SystemBC long-running global proxy malware operation
Malware Activity
First: 04.02.2026 18:15
Last: 04.02.2026 18:15
Sources 1
About this happening:
**SystemBC** is a long-running **proxy malware** operation that turns compromised hosts into **SOCKS5 relays** and is repeatedly used to support **ransomware activity**. New repor...
SystemBC long-running global proxy malware operation
Malware ActivityAbout this happening: **SystemBC** is a long-running **proxy malware** operation that turns compromised hosts into **SOCKS5 relays** and is repeatedly used to support **ransomware activity**. New repor...
Timeline
-
21.05.2026 17:00 2 articles · 6d ago
Showboat / kworker linked to Chinese telco espionage
Initial DisclosureBlack Lotus Labs tied the Showboat, or kworker, Linux post-exploitation framework to Chinese state-aligned espionage against telecommunications and ISP targets in Central Asia and beyond, including an ISP in Afghanistan, an IP in Donbas, and a telecommunications provider in Afghanistan. The tooling was described as active since at least mid-2022, paired by Calypso with JFMBackdoor, and still showing zero VirusTotal detections when reviewed.
Show sources
- Chinese APTs Share Linux Backdoor in Central Asia Telco Attacks — www.darkreading.com — 21.05.2026 17:00
- Chinese APTs Share Linux Backdoor in Central Asia Telco Attacks — www.darkreading.com — 21.05.2026 17:00