Showboat Malware Targets Telecoms in China-Aligned Cyber Espionage Campaign

Researchers uncovered a Linux post-exploitation framework named Showboat (aka kworker/EvaRAT), linked to the China-aligned Red Lamassu (Calypso) group, actively targeting telecommunications providers across the Middle East, Central Asia and other regions since mid-2022. Showboat provides persistence, file transfer, a SOCKS5 proxy for lateral movement, and process concealment; a related Windows backdoor (JFMBackdoor) uses DLL side-loading. Investigations tied C2 infrastructure to Chengdu, China (example IP 23.27.201.160) and recommend monitoring SOCKS5 traffic, blocking known C2s, and deploying detections for process hiding and DLL side-loading.