Showboat
Showboat is a modular Linux post-exploitation framework and backdoor used in a long-running cyber-espionage campaign active since at least mid-2022. It is designed for Linux systems, including AMD x86-64 ELF builds, and is intended to maintain persistent access after initial compromise. Reported capabilities include spawning a remote shell, uploading and downloading files, functioning as a SOCKS5 proxy, port mapping/port forwarding, gathering host information, collecting running process data, obtaining desktop screenshots, hiding its own process, swapping command-and-control nodes, and establishing persistence as a service. The malware retrieves an XOR-encrypted configuration file using the hardcoded key phrase "look me, AV!" and sends collected host data to command-and-control infrastructure as an encrypted, Base64-encoded string embedded in a PNG field. Researchers also reported that its hide functionality can retrieve code from external sites such as Pastebin or online forums.
Black Lotus Labs reported that Showboat has been used against telecommunications organizations, including a telecommunications provider in the Middle East, with additional victimology or possible compromises involving an Afghanistan-based ISP, Azerbaijan, the United States, and infrastructure tied to the Donbas/Ukraine region. The campaign used telecom-themed domains impersonating communications providers in Southeast Asia. Black Lotus Labs assessed that Showboat was used by at least one, and likely multiple, PRC-aligned or China-affiliated threat clusters, and separate reporting attributed the broader campaign to Calypso (also known as Red Lamassu). Infrastructure analysis linked parts of the command-and-control ecosystem to Chengdu, China with moderate confidence. The initial infection vector was not determined from the available reporting.
Known infrastructure and indicators mentioned in the reporting include telecom.webredirect[.]org resolving to 139.84.227[.]139; additional command-and-control IPs 194.135.25[.]132, 192.9.141[.]111, 64.176.43[.]209, and 116.169.244[.]208:2096; impersonation domains singtelcom[.]site and kaztelecom[.]shop; and self-signed X.509 certificate SHA256 fingerprints 27df475626aafce2ea1548a9f35efb9ad951298c8b11a6adb3ccdfcd5170c677 and e28a96f983b8605decd2ac1db16ebad5fa741a6aa4e585a38ade0e5ad7d6cec0. The malware has also been referred to as kworker in some reporting, and Kaspersky tracks it as EvaRAT.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The Linux implant Calypso uses in these attacks, dubbed Showboat/kworker, is a modular post-exploitation framework built for long-term persistence after initial compromise.
The Linux implant Calypso uses in these attacks, dubbed Showboat/kworker, is a modular post-exploitation framework built for long-term persistence after initial compromise.
Techniques & procedures
19 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 technique
Execution
Persistence
2 techniques
Persistence
Our analysis revealed several pre-built functions that an operator could call. These functions allow the operators to upload and download files to and from the host machine, hide the agent itself from the process list, obtain persistence as a service, and swap out C2 nodes.
Privilege Escalation
2 techniques
Privilege Escalation
Our analysis revealed several pre-built functions that an operator could call. These functions allow the operators to upload and download files to and from the host machine, hide the agent itself from the process list, obtain persistence as a service, and swap out C2 nodes.
Stealth
4 techniques
Stealth
“The file was XOR-encrypted with a hardcoded key to each byte, using the cheeky phrase: ‘look me, AV!’”
“The threat actors regularly disguise their control domains to impersonate real international technology providers. Specifically, investigators found active domains mimicking major communications brands in Southeast Asia.”
Discovery
3 techniques
Discovery
“After successful decryption, the agent immediately interrogates the host environment. It collects hostnames, process lists, and desktop screenshots.”
Lateral Movement
1 technique
Lateral Movement
Collection
1 technique
Collection
Command and Control
7 techniques
Command and Control
“Our analysis shows a correlation between command-and-control (C2) nodes and connections associated with IP addresses that correlate to Chengdu, China.”
“Showboat is a modular post-exploitation framework designed for Linux systems, capable of spawning a remote shell, transferring files and functioning as a Socks5 proxy.”
Showboat is a modular post-exploitation framework designed for Linux systems, capable of spawning a remote shell, transferring files and functioning as a Socks5 proxy... Two other network functions that warranted further exploration were the SOCKS5 and portmap functions.
One notable feature is the “hide” command, which enables a process to conceal itself on a host machine by retrieving code stored on external websites such as Pastebin or online forums for use as a “dead drop.”
Our analysis revealed several pre-built functions that an operator could call. These functions allow the operators to upload and download files to and from the host machine...
IOCs tracked for this family
13 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A modular Linux post-exploitation backdoor/framework used for cyber espionage. It establishes persistent access, spawns remote shells, transfers files, operates as a SOCKS5 proxy, hides its execution path, uses XOR-encrypted configuration data, and collects host information including hostnames, process lists, and desktop screenshots.
Linux-focused post-exploitation malware that provides remote shell access, file upload/download, SOCKS5 proxying, system information collection, encrypted C2 communications, process concealment, and retrieval of code from Pastebin for stealth. It enables attackers to pivot into internal network devices not directly exposed to the internet.
A Linux modular post-exploitation framework/backdoor used to establish footholds on compromised systems. It contacts C2 servers, gathers and exfiltrates system information, supports file upload/download, can spawn a remote shell, acts as a SOCKS5 proxy, hides its presence from the process list, retrieves code from Pastebin for concealment, and can scan for and connect to other devices reachable via LAN.
A Linux modular post-exploitation implant used for long-term persistence. It collects host information, communicates with C2, uploads/downloads files, hides its process, establishes persistence as a service, and provides SOCKS5 proxy and port-forwarding capabilities to support internal movement.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.