Showboat: A Novel Linux Post-Exploitation Framework Targeting Telecommunications
Published
Key Takeaways
- Newly Discovered Linux Malware: Black Lotus Labs has characterized Showboat, a sophisticated post-exploitation framework that has been operational since mid-2022.
- PRC-Aligned Threat: Attribution links the malware to multiple PRC-aligned threat activity clusters targeting the global telecommunications sector.
- Zero Detection Rate: The malware sample exhibited a zero-percent detection rate on VirusTotal from May 2025 through April 2026.
Lumen’s Black Lotus Labs identified a previously undocumented Linux malware family designated as Showboat. Active since at least mid-2022, this modular post-exploitation framework targets global telecommunications infrastructure.
Showboat is utilized by at least one, and likely multiple, PRC-aligned threat activity clusters, according to research.
PRC-Aligned Telecommunications Targeting
Lumen intelligence indicates that the campaign successfully compromised a telecommunications provider in the Middle East and impersonated Southeast Asian telecom firms to obfuscate its malicious operations.
Showboat functions as a highly capable framework optimized specifically for Linux environments. Once deployed, the malware facilitates remote shell execution, file transfer, and Socks5 proxying.
Furthermore, the framework incorporates native functionality for process obfuscation, establishing persistence as a service, and rotating command-and-control (C2) nodes.
Technical forensics identified the configuration hostname telecom.webredirect[.]org and correlated it to the primary C2 IP address. The analysis also discovered another 20 C2 nodes that shared metadata properties.
Showboat Attribution
Lumen attributed the malicious infrastructure and associated IP addresses directly to Chengdu, China. Threat researchers discovered the malware on VirusTotal, where a sample submitted on May 5, 2025, maintained a zero-percent detection rate across all antivirus engines through April 2026.
“Even when final targets are based in North America, the global interconnectivity of telecommunications firms means that risks can quickly extend worldwide,” the report said. “Because these organizations are essential for transmitting user voice and data, they represent a critical component of any organization’s supply chain.”
Researchers noted a shift towards persisting on Linux-based systems and routers, which typically do not run EDR-based systems. “We encourage organizations to be mindful of their perimeter and continue to monitor events such as east-west traffic from servers that do not clearly map to business processes,” said Black Lotus Labs researchers.
This month, the CVE-2026-41940 vulnerability in cPanel was exploited to steal credentials, and CISA warned that a severe CopyFail Linux flaw is under active exploitation (CVE-2026-31431).
In April, a new China-aligned APT deployed GopherWhisper malware against the Mongolian government, and a cybersecurity analysis revealed China-nexus threat activity increased by 75% in 2025.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular