For several years, Chinese state-aligned threat actors have been gathering intelligence on telecommunications companies in Central Asia and other regions using a newly discovered Linux post-compromise framework.
The malware is identified as "Showboat" or "kworker." Researchers at Black Lotus Labs observed different clusters of Showboat activity against disparate environments—ranging from an Internet service provider (ISP) in Afghanistan to an unidentified IP address in the disputed Donbas region of eastern Ukraine. This distribution indicates that Chinese advanced persistent threats (APTs) are actively sharing the tool across multiple groups.
At least one of these APTs is Calypso, according to analysis by PricewaterhouseCoopers (PwC). First observed in 2019, Calypso operates primarily in countries where Western cybersecurity firms often have less visibility, such as Afghanistan, Kazakhstan, Turkey, and India. Calypso deploys Showboat alongside a Windows backdoor of similar sophistication known as "JFMBackdoor."
The Showboat framework
Showboat functions as a practical utility rather than a highly complex tool, making it notable that threat groups have operated it covertly to gather significant intelligence over a four-year period.
Its most notable capability is scanning for and infecting local area network (LAN) devices that are isolated including the public Internet. "So if you do happen and find this in your network, there's probably a whole lot of other bad stuff in the network, and you're about to have a very long weekend," says Danny Adamitis, principal information security engineer at Black Lotus Labs.
Showboat operates differently from the most advanced telecommunications malware. BPFdoor, for instance, specializes in living-off-the-land techniques, concealing its command-and-control (C2) traffic within HTTPS requests and Internet Control Message Protocol (ICMP) pings. In Adamitis' assessment, Showboat "is not the best backdoor I've ever seen. To me this feels like almost a newer version of a ShadowPad where it's just [notable for] kind of cool capabilities."
The simplicity of Showboat appears to be a deliberate design choice. Evidence indicates the software has been active since at least mid-2022, yet when researchers analyzed it this year, it registered zero detections on VirusTotal (VT). This evasion rate matches the stealth of highly specialized, native tools used by top-tier groups like the Typhoon clusters.
"You don't necessarily always have to write your backdoors exclusively in assembly and do a weird matching packet thing over ICMP," Adamitis notes. "It appears as though they're still having a moderate degree of success with something that, in my mind, is a little bit more run of the mill."
When Showboat does not fit the environment, these actors draw from a shared pool of malware. "Red Lamassu (a.k.a. Calypso) has historically used PlugX, a malware family widely shared and reused across multiple China-based threat actors," notes PwC threat intelligence analyst Daniel van Apeldoorn. He adds that the group "can tailor its toolset, deploying a Linux backdoor in Linux-heavy environments (such as telecommunications infrastructure, which often runs on Unix-based systems) and a Windows backdoor when targeting corporate or enterprise environments where Windows is dominant."
Regional testing methodologies
Black Lotus Labs researcher Ryan English provides additional context on this deployment approach. "What China likes to do is they'll designate certain parts of the world as kind of a laboratory. They'll test [malware] against perfectly updated virtual systems, then they'll bring it out into the real world in a small market test. Does this work against that bank in Africa? Does this work against that telco in Vietnam? And if it does, they're feeling more confident to bring it out to more serious targets."
Current data aligns with the assessment that Showboat was initially deployed as a solution for specific, smaller markets. Black Lotus Labs tracked multiple distinct threat clusters sharing the tool, utilizing it without committing to long-term campaigns against primary targets.
For example, one cluster connected to IP addresses in the US and the Donbas region at varying intervals. Another deployed it against organizations in regions with developing cybersecurity maturity, including an Afghan ISP and unnamed affected organizations in Azerbaijan and the Middle East. Simultaneously, the Calypso activity tracked by PwC focused on a telecommunications provider in Afghanistan.
English suggests that Showboat found utility in these specific environments by prioritizing function over complexity. "Somebody said: Perfect is the enemy of good enough. And they let it run. I think that they were probably being economical with that."
About the original author
Nate Nelson is a contributing writer with a background in journalism and scriptwriting. In addition to contributing to Dark Reading, he writes for Darknet Diaries and previously covered security news at Threatpost. He also co-created the security podcast Malicious Life. He holds degrees from New York University and Bard College.