Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Showboat Linux post-exploitation backdoor framework

Malware Activity
First reported
Last updated
Happening score
H score 16
1 unique sources, 1 articles

Summary

Hide ▲

The Showboat Linux malware has been identified as a modular post-exploitation framework used since at least mid-2022, raising the risk of persistent access on compromised systems. It can spawn a remote shell, transfer files, and operate as a SOCKS5 proxy, giving operators flexible control over infected hosts. Investigators linked the activity to China-affiliated clusters and observed related infrastructure and possible compromises across the Middle East, Afghanistan, Azerbaijan, the U.S., and Ukraine.

Related Happenings

Calypso telecommunications espionage campaign using Showboat and JFMBackdoor

Campaign
First: 21.05.2026 17:00 Last: 21.05.2026 17:00 Sources 1

About this happening: A **Calypso / Red Lamassu** espionage campaign is targeting **telecommunications providers** with new **Showboat** and **JFMBackdoor** malware, increasing the risk of long-term co...

Open Happening

Showboat / kworker Linux post-exploitation malware activity

Malware Activity
First: 21.05.2026 17:00 Last: 21.05.2026 17:00 Sources 1

About this happening: Researchers tied **Showboat** / **kworker** to a stealthy **Linux post-exploitation framework** being reused across multiple Chinese threat clusters, raising concern that a shared...

Open Happening

Chinese state-aligned Showboat espionage campaign targeting telecoms in Central Asia

Campaign
First: 21.05.2026 17:00 Last: 21.05.2026 17:00 Sources 1

About this happening: A **multi-year Chinese state-aligned espionage campaign** is using **Showboat** to target **telecommunications companies in Central Asia and beyond**, increasing the risk of cover...

Open Happening

Filemanager backdoor delivered on compromised cPanel environments

Malware Activity
First: 11.05.2026 20:54 Last: 11.05.2026 20:54 Sources 1

About this happening: The **Filemanager** backdoor is being deployed on **compromised cPanel/WHM systems**, giving attackers **remote command execution** and shell access. It is delivered through a **s...

Open Happening

QUIC RAT delivered through compromised DAEMON Tools installers

Malware Activity
First: 05.05.2026 19:07 Last: 05.05.2026 19:07 Sources 1

About this happening: A follow-on **QUIC RAT** payload was delivered through compromised **DAEMON Tools installers**, extending the supply-chain intrusion into **remote access** on a small subset of in...

Latest development: 07.05.2026 12:30

Disc Soft released malware-free Daemon Tools Lite Version 12.6 on May 5 after being notified of the supply chain attack on its build environment, and the affected 12.5.1 build was removed from distribution so users could move to the cleaned release.

Open Happening

Timeline

  1. 21.05.2026 17:17 1 articles · 6d ago

    Showboat concealment snippet created

    Technical Analysis Update

    A Pastebin code snippet later retrieved by Showboat to hide itself on infected Linux hosts was created on January 11, 2022, indicating a preexisting concealment component used to reduce process-list visibility and support persistent footholds on compromised systems.

    Show sources
    Open in new tab
  2. 21.05.2026 17:17 2 articles · 6d ago

    Showboat Linux malware disclosed

    Initial Disclosure

    Cybersecurity researchers disclosed Showboat as a Linux malware used against a Middle East telecommunications provider since at least mid-2022 and described it as a modular post-exploitation framework that can spawn a remote shell, transfer files, act as a SOCKS5 proxy, contact C2 infrastructure, gather system information, and conceal itself with a Pastebin-hosted snippet; investigators also linked the activity to China-affiliated clusters and found further victims or possible compromises in Afghanistan, Azerbaijan, the U.S., and Ukraine.

    Show sources
    Open in new tab