"Showboat is a modular post-exploitation framework designed for Linux systems, capable of spawning a remote shell, transferring files, and functioning as a SOCKS5 proxy," Lumen Technologies Black Lotus Labs said.
Showboat's core capabilities
Researchers describe Showboat as a Linux backdoor and post‑exploitation framework with multiple modules. According to the report shared with The Hacker News, the malware can spawn a remote shell, upload and download files, and operate as a SOCKS5 proxy. The ELF artifact uploaded to VirusTotal in May 2025 was classified by the scanning platform as a sophisticated Linux backdoor with rootkit‑like capabilities; Kaspersky is tracking the same artifact under the name EvaRAT.
Command-and-control, exfiltration, and stealth techniques
Showboat's network and concealment techniques are notable and specific. The malware is designed to contact a command‑and‑control (C2) server, gather system information and then return that information embedded in a PNG field as an encrypted, Base64‑encoded string. It also retrieves a code snippet hosted on Pastebin — the referenced paste was created on January 11, 2022 — and uses that data to assist in hiding itself from the process list. Additionally, Showboat is capable of managing multiple C2 servers.
SOCKS5 proxy and lateral access to LAN‑only machines
One of Showboat's operational aims appears to be creating a foothold that enables access to systems not directly exposed to the internet. Black Lotus Labs notes that the malware can scan for other devices on a local network and connect to them through its SOCKS5 proxy capability. "This would allow the attackers to interact with machines that are not exposed publicly to the internet and only accessible via the LAN," Black Lotus Labs said, indicating lateral movement and pivoting as central functions of the implant.
Attribution and the pattern of shared tooling
Black Lotus Labs assessed that Showboat has been employed by at least one — and possibly more — threat activity clusters affiliated with China. The researchers identified correlations between C2 nodes and IP addresses geolocated to Chengdu, Sichuan province. The report situates Showboat among a set of shared frameworks — including PlugX, ShadowPad, and NosyDoor — that multiple China‑nexus groups have reused, a phenomenon the analysts describe as "resource pooling" and that they say reinforces the presence of a digital quartermaster supplying tooling to state‑sponsored actors.
Victimology: Middle East telecom, Afghanistan ISP, Azerbaijan, plus secondary C2 findings
Infrastructure analysis tied to the campaign has uncovered specific victim ties. Black Lotus Labs identified a telecommunications provider in the Middle East as a target of Showboat activity dating back to at least mid‑2022. Further analysis uncovered two additional victims: an Afghanistan‑based internet service provider and an entity in Azerbaijan whose identity remains unspecified. A secondary C2 cluster, using similar X.509 certificates to the original C2 server, revealed two possible compromises in the United States and one in Ukraine.
What this means for technologists, policymakers, and affected enterprises
- Technologists and security teams: the combination of rootkit‑like hiding, PNG‑based encrypted exfil, and SOCKS5 proxying means incident responders will need to consider both kernel/process concealment and the possibility of covert lateral access to LAN‑only hosts.
- Policymakers and regulators: the assessment linking activity to China‑affiliated clusters and the finding of shared tooling across multiple groups highlights cross‑border infrastructure and attribution signals that may inform diplomatic, disclosure, and notification considerations.
- Affected enterprises and telecom/ISP operators: the discovery of a foothold inside a Middle East telecommunications provider, plus compromises at an Afghanistan ISP and an Azerbaijan victim, signals a risk to network‑adjacent systems that are not publicly routable but reachable from compromised hosts.
Black Lotus Labs framed the discovery as a warning: "While some threat actors are increasingly using stealthy, native system tools to evade detection, others still deploy persistent malware implants," researcher Danny Adamitis said. "The presence of such threats should be taken as an early warning sign, indicating the potential for broader and more serious security issues within affected networks."
The record in this case ties a capable Linux backdoor to a series of regional compromises and to reusable tooling patterns observed in other campaigns. The specifics — an ELF sample flagged in May 2025, a Pastebin snippet from January 11, 2022, PNG‑embedded encrypted exfil, SOCKS5 proxying, and C2 infrastructure linked to Chengdu — together sketch a deliberate operational approach: obtain persistence on Linux hosts, conceal presence, and use compromised systems as springboards to otherwise inaccessible devices. How widely Showboat has been reused beyond the enumerated victims, and whether additional clusters will surface that share its infrastructure, remains the next question to follow.




