Chinese APTs Share Linux Backdoor in Telco Attacks TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsApplication SecurityGitHub Confirms Breach, 4K Internal Repos StolenGitHub Confirms Breach, 4K Internal Repos StolenbyAlexander CulafiMay 20, 20263 Min ReadCybersecurity OperationsInterpol's 'Operation Ramz' Pioneers Cross-Region Collabs in Middle EastInterpol's 'Operation Ramz' Pioneers Cross-Region Collabs in Middle EastbyRobert LemosMay 20, 20264 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryThreat IntelligenceCyberattacks & Data BreachesCyber RiskEndpoint SecurityNewsBreaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia PacificChinese APTs Share Linux Backdoor in Central Asia Telco Attacks"Showboat" doesn't show off, but clearly it doesn't need to, as it's long helped China spy on small market communications providers.Nate Nelson,Contributing WriterMay 21, 20264 Min ReadSource: Mark Summerfield via Alamy Stock PhotoFor years now, Chinese state-aligned hackers have been spying on telecommunications companies in Central Asia and beyond, using a newly discovered Linux post-exploitation framework.The malware is called "Showboat," or "kworker." Black Lotus Labs observed different clusters of Showboat activity against totally dissimilar targets — from an Internet service provider (ISP) in Afghanistan to an unknown IP in the disputed Donbas region of eastern Ukraine — suggesting that Chinese advanced persistent threats (APTs) are trading it around.At least one of those APTs is Calypso, according to PricewaterhouseCoopers (PwC). First observed in 2019, Calypso is one of China's lesser-discussed espionage groups, perhaps because its activity occurs in countries where Western cybersecurity companies have less visibility on average: Afghanistan, Kazakhstan, Turkey, and India, for example. Calypso uses Showboat alongside a Windows backdoor of roughly similar sophistication, called "JFMBackdoor."Related:Tropic Trooper APT Takes Aim at Home Routers, Japanese TargetsThe Showboat Exploitation FrameworkShowboat is a useful but unexceptional spy tool, which makes it all the more surprising that Chinese threat groups have used it in total secrecy, gathering what might amount to serious geopolitical intelligence for four years running.Its most significant trick, arguably, is its ability to scan for and then infect devices on a local area network (LAN) that aren't otherwise connected to the public Internet. "So if you do happen to find this in your network, there's probably a whole lot of other bad stuff in the network, and you're about to have a very long weekend," says Danny Adamitis, principal information security engineer at Black Lotus Labs.Though perfectly capable, Showboat hardly goes toe-to-toe with China's top-of-the-line telco malware. BPFdoor, for example, is an expert in living-off-the-land, almost imperceptibly concealing its command-and-control (C2) traffic in HTTPS requests and Internet Control Message Protocol (ICMP) pings. In Adamitis' assessment, Showboat "is not the best backdoor I've ever seen. To me this feels like almost a newer version of a ShadowPad where it's just [notable for] kind of cool capabilities."Yet Showboat's banality could be as much a design feature as a flaw. After all, why invest in a highly complex, bespoke tool when something simple and easy gets the job done? Evidence suggests that the malware has been around since at least mid-2022, but by the time the researchers got to it this year, it registered a grand total of zero detections on VirusTotal (VT): as little as any ultra-stealthy, bespoke, native spy multitool that even the best Typhoon has access to.Related:Africa Relinquishes Cyberattack Lead to Latin America — For Now"You don't necessarily always have to write your backdoors exclusively in assembly and do a weird matching packet thing over ICMP," Adamitis says. "It appears as though they're still having a moderate degree of success with something that, in my mind, is a little bit more run of the mill."Where Showboat isn't the right tool, the threat actors that use it can dip into a pool of malware shared broadly among Chinese threat actors. "Red Lamassu (a.k.a. Calypso) has historically used PlugX, a malware family widely shared and reused across multiple China-based threat actors," notes PwC threat intelligence analyst Daniel van Apeldoorn. These days, he adds, "it can tailor its toolset, deploying a Linux backdoor in Linux-heavy environments (such as telecommunications infrastructure, which often runs on Unix-based systems) and a Windows backdoor when targeting corporate or enterprise environments where Windows is dominant."China's Malware ExperimentsBlack Lotus Labs researcher Ryan English expands on Adamitis' point. "What China likes to do is they'll designate certain parts of the world as kind of a laboratory. They'll test [malware] against perfectly updated virtual systems, then they'll bring it out into the real world in a small market test. Does this work against that bank in Africa? Does this work against that telco in Vietnam? And if it does, they're feeling more confident to bring it out to more serious targets."Related:Russia's Forest Blizzard Nabs Rafts of Logins via SOHO RoutersAt least some of the data seems to support the interpretation that Showboat was conceived of as a small market solution.Black Lotus Labs tracked multiple, apparently separate Chinese threat clusters passing it around, without committing to it for long, high-value campaigns against any targets of supreme value. For example, one threat cluster seemed to use Showboat rather randomly, connecting at different times to IP addresses in the US and in the Donbas region. Another deployed it against organizations in countries with less mature cybersecurity on average: an ISP from Afghanistan, and other unnamed victims in Azerbaijan and the Middle East. Meanwhile, the Calypso activity tracked by PwC targeted a telecommunications provider in Afghanistan.English speculates that Showboat might have found success in these smaller markets. "Somebody said: Perfect is the enemy of good enough. And they let it run. I think that they were probably being economical with that."Read more about:DR Global Asia PacificAbout the AuthorNate NelsonContributing WriterNate Nelson is a journalist and award-winning scriptwriter. In addition to Dark Reading he writes for Darknet Diaries, the most popular show in cybersecurity across all media.He began his career as a freelancer, ghostwriting Forbes and CNBC op-eds for executives in tech and finance. Then he transitioned to journalism at Threatpost, where he covered cybersecurity news and trends. Throughout those years he co-created a cybersecurity podcast, Malicious Life, which in its day climbed into the Top 20 technology podcasts charts on Apple Podcasts and Spotify.He holds degrees from New York University and Bard College. As a born and bred New Yorker, he enjoys a superiority complex, but is polite enough to keep it to himself.See more from Nate NelsonWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Organizations Are Managing Incident ResponseHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security ManagementAccess More ResearchWebinarsBuilding SecOps That Make the Most of Every DollarAI-Powered Credential Security: Intelligence Without ExposureAI-Powered Cybersecurity for Resource-Constrained OrganizationsHow Security Teams should apply Threat Intelligence into their DefensesYour Guide to Securing AI Adoption in Your OrganizationMore WebinarsEditor's ChoiceThreat IntelligenceFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberbyDark Reading Editorial TeamMay 6, 202631 Min ReadCyber RiskPhysical Cargo Theft Gets a Boost From CybercriminalsPhysical Cargo Theft Gets a Boost From CybercriminalsbyRobert LemosMay 4, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeRSAC 2026: key news & insightsAt RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much moreGet Your RecapWebinarsBuilding SecOps That Make the Most of Every DollarThurs, July 9, 2026 at 1pm ESTAI-Powered Credential Security: Intelligence Without ExposureWed, June 17, 2026, at 1pm ESTAI-Powered Cybersecurity for Resource-Constrained OrganizationsThurs, June 18, 2026, at 1pm ESTHow Security Teams should apply Threat Intelligence into their DefensesThurs, June 11, 2026 at 1pm ESTYour Guide to Securing AI Adoption in Your OrganizationTues, June 9, 2026 at 1pm ESTMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.GET YOUR PASSDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of UseYour Privacy Choices

Chinese state-aligned Advanced Persistent Threats (APTs) have been observed sharing a Linux post-exploitation framework known as "Showboat" in attacks targeting telecommunications infrastructure across Central Asia. This malware has been instrumental in spying on small market communications providers by these threat groups. Observations indicate that Showboat activity has spanned disparate targets, including an Internet service provider in Afghanistan and systems in the disputed Donbas region of eastern Ukraine, suggesting that various Chinese APTs are circulating this toolset. Some analysis, citing PricewaterhouseCoopers (PwC), links the activity to groups such as Calypso, which is noted as a lesser-discussed espionage group operating in regions where Western cybersecurity visibility is lower, such as Afghanistan, Kazakhstan, Turkey, and India. Calypso has been observed utilizing Showboat in conjunction with a Windows backdoor called "JFMBackdoor," indicating a flexible approach to malware deployment depending on the target environment.

The significance of the Showboat Exploitation Framework lies in its capability to scan for and infect devices within a local area network (LAN) that are not directly connected to the public internet, which enables lateral movement within networks. Although recognized as a useful tool, the framework is characterized by its simplicity, which some researchers suggest could either be a design feature or an oversight; for instance, the malware has registered zero detections on VirusTotal, implying an extremely stealthy nature. While Showboat is not compared to the most sophisticated telco malware like PPFdoor, which excels at concealing command-and-control traffic via HTTPS and ICMP pings, the malware’s banality is presented as potentially economical rather than a limitation of capability.

Threat actors often leverage this shared framework to tailor their toolsets, deploying the Linux backdoor in Linux-heavy environments like telecommunications infrastructure (which often uses Unix-based systems) and a Windows backdoor when targeting enterprise environments. Threat intelligence analysts note that groups like Red Lamassu (Calypso) have historically reused malware families, such as PlugX, across multiple China-based threat actors, demonstrating an ability to adapt tools to specific operational contexts. Research also suggests that China employs a methodology of testing malware in virtual systems before deploying it in smaller market tests to assess efficacy before moving to higher-value targets. This approach supports the interpretation that Showboat may have been conceived as an economical solution, finding success in environments with less mature cybersecurity postures, such as those in the Middle East and regions with less developed cybersecurity infrastructure.