Showboat Linux post-exploitation backdoor framework
Malware Activity
Summary
Hide ▲
Show ▼
The Showboat Linux malware has been identified as a modular post-exploitation framework used since at least mid-2022, raising the risk of persistent access on compromised systems. It can spawn a remote shell, transfer files, and operate as a SOCKS5 proxy, giving operators flexible control over infected hosts. Investigators linked the activity to China-affiliated clusters and observed related infrastructure and possible compromises across the Middle East, Afghanistan, Azerbaijan, the U.S., and Ukraine.
Related Happenings
Calypso telecommunications espionage campaign using Showboat and JFMBackdoor
Campaign
H score36
First: 21.05.2026 17:00
Last: 21.05.2026 17:00
Sources 1
About this happening:
A **Calypso / Red Lamassu** espionage campaign is targeting **telecommunications providers** with new **Showboat** and **JFMBackdoor** malware, increasing the risk of long-term co...
Calypso telecommunications espionage campaign using Showboat and JFMBackdoor
CampaignAbout this happening: A **Calypso / Red Lamassu** espionage campaign is targeting **telecommunications providers** with new **Showboat** and **JFMBackdoor** malware, increasing the risk of long-term co...
Showboat / kworker Linux post-exploitation malware activity
Malware Activity
H score28
First: 21.05.2026 17:00
Last: 21.05.2026 17:00
Sources 1
About this happening:
Researchers tied **Showboat** / **kworker** to a stealthy **Linux post-exploitation framework** being reused across multiple Chinese threat clusters, raising concern that a shared...
Showboat / kworker Linux post-exploitation malware activity
Malware ActivityAbout this happening: Researchers tied **Showboat** / **kworker** to a stealthy **Linux post-exploitation framework** being reused across multiple Chinese threat clusters, raising concern that a shared...
Chinese state-aligned Showboat espionage campaign targeting telecoms in Central Asia
Campaign
H score46
First: 21.05.2026 17:00
Last: 21.05.2026 17:00
Sources 1
About this happening:
A **multi-year Chinese state-aligned espionage campaign** is using **Showboat** to target **telecommunications companies in Central Asia and beyond**, increasing the risk of cover...
Chinese state-aligned Showboat espionage campaign targeting telecoms in Central Asia
CampaignAbout this happening: A **multi-year Chinese state-aligned espionage campaign** is using **Showboat** to target **telecommunications companies in Central Asia and beyond**, increasing the risk of cover...
Filemanager backdoor delivered on compromised cPanel environments
Malware Activity
H score33
First: 11.05.2026 20:54
Last: 11.05.2026 20:54
Sources 1
About this happening:
The **Filemanager** backdoor is being deployed on **compromised cPanel/WHM systems**, giving attackers **remote command execution** and shell access. It is delivered through a **s...
Filemanager backdoor delivered on compromised cPanel environments
Malware ActivityAbout this happening: The **Filemanager** backdoor is being deployed on **compromised cPanel/WHM systems**, giving attackers **remote command execution** and shell access. It is delivered through a **s...
QUIC RAT delivered through compromised DAEMON Tools installers
Malware Activity
H score37
First: 05.05.2026 19:07
Last: 05.05.2026 19:07
Sources 1
About this happening:
A follow-on **QUIC RAT** payload was delivered through compromised **DAEMON Tools installers**, extending the supply-chain intrusion into **remote access** on a small subset of in...
QUIC RAT delivered through compromised DAEMON Tools installers
Malware ActivityAbout this happening: A follow-on **QUIC RAT** payload was delivered through compromised **DAEMON Tools installers**, extending the supply-chain intrusion into **remote access** on a small subset of in...
Latest development: 07.05.2026 12:30
Disc Soft released malware-free Daemon Tools Lite Version 12.6 on May 5 after being notified of the supply chain attack on its build environment, and the affected 12.5.1 build was removed from distribution so users could move to the cleaned release.
Timeline
-
21.05.2026 17:17 1 articles · 1mo ago
Showboat concealment snippet created
Technical Analysis UpdateA Pastebin code snippet later retrieved by Showboat to hide itself on infected Linux hosts was created on January 11, 2022, indicating a preexisting concealment component used to reduce process-list visibility and support persistent footholds on compromised systems.
Show sources
- Showboat Linux Malware Hits Middle East Telecom with SOCKS5 Proxy Backdoor — thehackernews.com — 21.05.2026 17:17
-
21.05.2026 17:17 2 articles · 1mo ago
Showboat Linux malware disclosed
Initial DisclosureCybersecurity researchers disclosed Showboat as a Linux malware used against a Middle East telecommunications provider since at least mid-2022 and described it as a modular post-exploitation framework that can spawn a remote shell, transfer files, act as a SOCKS5 proxy, contact C2 infrastructure, gather system information, and conceal itself with a Pastebin-hosted snippet; investigators also linked the activity to China-affiliated clusters and found further victims or possible compromises in Afghanistan, Azerbaijan, the U.S., and Ukraine.
Show sources
- Showboat Linux Malware Hits Middle East Telecom with SOCKS5 Proxy Backdoor — thehackernews.com — 21.05.2026 17:17
- Showboat Linux Malware Hits Middle East Telecom with SOCKS5 Proxy Backdoor — thehackernews.com — 21.05.2026 17:17