Showboat / kworker Linux post-exploitation malware activity
Malware Activity
Summary
Hide ▲
Show ▼
Researchers tied Showboat / kworker to a stealthy Linux post-exploitation framework being reused across multiple Chinese threat clusters, raising concern that a shared toolset is supporting long-running espionage. The malware has been seen against dissimilar targets including an ISP in Afghanistan and an IP in Donbas, with additional activity across Azerbaijan, the Middle East, and other regions. One cluster linked to Calypso also paired it with JFMBackdoor, and Showboat can scan and infect LAN devices that are not otherwise on the public Internet. The malware has been present since at least mid-2022 and showed zero VirusTotal detections when reviewed, underscoring its stealth.
Related Happenings
Showboat Linux post-exploitation backdoor framework
Malware Activity
H score16
First: 21.05.2026 17:17
Last: 21.05.2026 17:17
Sources 1
About this happening:
The **Showboat** Linux malware has been identified as a **modular post-exploitation framework** used since **at least mid-2022**, raising the risk of persistent access on compromi...
Showboat Linux post-exploitation backdoor framework
Malware ActivityAbout this happening: The **Showboat** Linux malware has been identified as a **modular post-exploitation framework** used since **at least mid-2022**, raising the risk of persistent access on compromi...
Chinese state-aligned Showboat espionage campaign targeting telecoms in Central Asia
Campaign
H score46
First: 21.05.2026 17:00
Last: 21.05.2026 17:00
Sources 1
How related:
For years now, Chinese state-aligned hackers have been spying on telecommunications companies in Central Asia and beyond, using a newly discovered Linux post-exploitation framework.
About this happening:
A **multi-year Chinese state-aligned espionage campaign** is using **Showboat** to target **telecommunications companies in Central Asia and beyond**, increasing the risk of cover...
Chinese state-aligned Showboat espionage campaign targeting telecoms in Central Asia
CampaignHow related: For years now, Chinese state-aligned hackers have been spying on telecommunications companies in Central Asia and beyond, using a newly discovered Linux post-exploitation framework.
About this happening: A **multi-year Chinese state-aligned espionage campaign** is using **Showboat** to target **telecommunications companies in Central Asia and beyond**, increasing the risk of cover...
Calypso telecommunications espionage campaign using Showboat and JFMBackdoor
Campaign
H score36
First: 21.05.2026 17:00
Last: 21.05.2026 17:00
Sources 1
About this happening:
A **Calypso / Red Lamassu** espionage campaign is targeting **telecommunications providers** with new **Showboat** and **JFMBackdoor** malware, increasing the risk of long-term co...
Calypso telecommunications espionage campaign using Showboat and JFMBackdoor
CampaignAbout this happening: A **Calypso / Red Lamassu** espionage campaign is targeting **telecommunications providers** with new **Showboat** and **JFMBackdoor** malware, increasing the risk of long-term co...
China-nexus hijacked-device proxy network campaign
Campaign
H score43
First: 23.04.2026 15:28
Last: 23.04.2026 15:28
Sources 1
About this happening:
**China-nexus** hackers are using **JDY**, a covert **SOHO/IoT** reconnaissance network, to expand **targeted scanning** and **service fingerprinting** across exposed infrastructu...
China-nexus hijacked-device proxy network campaign
CampaignAbout this happening: **China-nexus** hackers are using **JDY**, a covert **SOHO/IoT** reconnaissance network, to expand **targeted scanning** and **service fingerprinting** across exposed infrastructu...
KadNap Asus router proxy botnet
Malware Activity
H score22
First: 10.03.2026 18:00
Last: 10.03.2026 18:00
Sources 1
About this happening:
**KadNap** is a **proxy botnet** that compromises **Asus routers** and other edge devices, creating a stealth channel for malicious traffic from **over 14,000 infected devices**....
KadNap Asus router proxy botnet
Malware ActivityAbout this happening: **KadNap** is a **proxy botnet** that compromises **Asus routers** and other edge devices, creating a stealth channel for malicious traffic from **over 14,000 infected devices**....
Timeline
-
21.05.2026 17:00 2 articles · 1mo ago
Showboat / kworker linked to Chinese telco espionage
Initial DisclosureBlack Lotus Labs tied the Showboat, or kworker, Linux post-exploitation framework to Chinese state-aligned espionage against telecommunications and ISP targets in Central Asia and beyond, including an ISP in Afghanistan, an IP in Donbas, and a telecommunications provider in Afghanistan. The tooling was described as active since at least mid-2022, paired by Calypso with JFMBackdoor, and still showing zero VirusTotal detections when reviewed.
Show sources
- Chinese APTs Share Linux Backdoor in Central Asia Telco Attacks — www.darkreading.com — 21.05.2026 17:00
- Chinese APTs Share Linux Backdoor in Central Asia Telco Attacks — www.darkreading.com — 21.05.2026 17:00