Find notable cyber news and cases, enriched with sources, timelines, and signals.

Showboat / kworker Linux post-exploitation malware activity

Malware Activity
First reported
Last updated
Happening score
H score 28
1 unique sources, 1 articles

Summary

Hide ▲

Researchers tied Showboat / kworker to a stealthy Linux post-exploitation framework being reused across multiple Chinese threat clusters, raising concern that a shared toolset is supporting long-running espionage. The malware has been seen against dissimilar targets including an ISP in Afghanistan and an IP in Donbas, with additional activity across Azerbaijan, the Middle East, and other regions. One cluster linked to Calypso also paired it with JFMBackdoor, and Showboat can scan and infect LAN devices that are not otherwise on the public Internet. The malware has been present since at least mid-2022 and showed zero VirusTotal detections when reviewed, underscoring its stealth.

Related Happenings

Showboat Linux post-exploitation backdoor framework

Malware Activity
H score16 First: 21.05.2026 17:17 Last: 21.05.2026 17:17 Sources 1

About this happening: The **Showboat** Linux malware has been identified as a **modular post-exploitation framework** used since **at least mid-2022**, raising the risk of persistent access on compromi...

Chinese state-aligned Showboat espionage campaign targeting telecoms in Central Asia

Campaign
H score46 First: 21.05.2026 17:00 Last: 21.05.2026 17:00 Sources 1

How related: For years now, Chinese state-aligned hackers have been spying on telecommunications companies in Central Asia and beyond, using a newly discovered Linux post-exploitation framework.

About this happening: A **multi-year Chinese state-aligned espionage campaign** is using **Showboat** to target **telecommunications companies in Central Asia and beyond**, increasing the risk of cover...

Calypso telecommunications espionage campaign using Showboat and JFMBackdoor

Campaign
H score36 First: 21.05.2026 17:00 Last: 21.05.2026 17:00 Sources 1

About this happening: A **Calypso / Red Lamassu** espionage campaign is targeting **telecommunications providers** with new **Showboat** and **JFMBackdoor** malware, increasing the risk of long-term co...

China-nexus hijacked-device proxy network campaign

Campaign
H score43 First: 23.04.2026 15:28 Last: 23.04.2026 15:28 Sources 1

About this happening: **China-nexus** hackers are using **JDY**, a covert **SOHO/IoT** reconnaissance network, to expand **targeted scanning** and **service fingerprinting** across exposed infrastructu...

KadNap Asus router proxy botnet

Malware Activity
H score22 First: 10.03.2026 18:00 Last: 10.03.2026 18:00 Sources 1

About this happening: **KadNap** is a **proxy botnet** that compromises **Asus routers** and other edge devices, creating a stealth channel for malicious traffic from **over 14,000 infected devices**....

Timeline

  1. 21.05.2026 17:00 2 articles · 1mo ago

    Showboat / kworker linked to Chinese telco espionage

    Initial Disclosure

    Black Lotus Labs tied the Showboat, or kworker, Linux post-exploitation framework to Chinese state-aligned espionage against telecommunications and ISP targets in Central Asia and beyond, including an ISP in Afghanistan, an IP in Donbas, and a telecommunications provider in Afghanistan. The tooling was described as active since at least mid-2022, paired by Calypso with JFMBackdoor, and still showing zero VirusTotal detections when reviewed.

    Show sources