Showboat Emerges as New Linux Threat in Middle East Cyber Attacks
Threat actors continue to target telecommunications infrastructure as part of long-term cyber espionage operations designed to maintain persistent access inside critical networks. Modern post-exploitation malware frameworks are increasingly being developed for Linux systems, allowing attackers to establish covert access, proxy network traffic, and move laterally within telecom environments while evading detection.
A previously undocumented Linux malware family named Showboat has been actively targeting telecommunications providers since at least mid-2022. The malware is believed to have been used by China-linked threat actors and has been observed operating against telecom entities in the Middle East and other regions.
Background on Showboat Operations
Showboat is a modular post-exploitation framework specifically designed for Linux systems. Researchers state that the malware supports remote shell execution, file transfer operations, SOCKS5 proxy functionality, and stealth mechanisms intended to hide its presence on compromised systems.
Activity is linked to threat clusters aligned with the People’s Republic of China (PRC), with command-and-control infrastructure associated with IP addresses geolocated to Chengdu, China. One identified threat actor connected to the campaign is Calypso, also known as Bronze Medley and Red Lamassu.
Researchers also noted that Showboat shares operational similarities with other malware frameworks used by China-linked groups, including PlugX, ShadowPad, and NosyDoor, indicating possible “resource pooling” between multiple threat actors.
Vulnerability Details
CVE-2021-26855:
Vulnerability: Microsoft Exchange Server Remote Code Execution Vulnerability
CVSS Score: 9.1
EPSS Score: 94.34%
Infection Method
The exact initial access vector remains unknown. However, researchers stated that Calypso has previously used ASPX web shells after exploiting vulnerabilities or compromising default remote access accounts.
The threat actor was also previously observed weaponizing ProxyLogon through exploitation of CVE-2021-26855, the Microsoft Exchange Server vulnerability associated with the exploit chain.
Researchers also observed the malware retrieving code snippets from Pastebin in order to conceal itself on infected hosts.
Indicators of Compromise (IOCs)
Malicious IP Addresses
139.84.227[.]139 — Original Showboat command-and-control server associated with telecom.webredirect[.]org
194.135.25[.]132 — Secondary C2 node observed communicating with an Afghanistan-based ISP provider
23.27.201[.]160 — Hosted singtelcom[.]site impersonation domain
101.36.105[.]222 — Hosted kaztelecom[.]shop impersonation domain
116.169.244[.]208:2096 — Possible upstream infrastructure or developer environment linked to Chengdu, China
192.9.141[.]111 — Suspected C2 associated with possible U.S.-based victim activity
64.176.43[.]209 — Suspected C2 communicating with Ukrainian-region IP addresses
Malicious Domains
telecom.webredirect[.]org — Embedded Showboat C2 hostname
singtelcom[.]site — Domain impersonating telecommunications organizations
kaztelecom[.]shop — Domain impersonating regional telecom provider infrastructure
Certificate Indicators
27df475626aafce2ea1548a9f35efb9ad951298c8b11a6adb3ccdfcd5170c677
A72427af3c046fd90999a6505b2372dc4ffde122227f30ed21621ecd4f2d3e8b.
E28a96f983b8605decd2ac1db16ebad5fa741a6aa4e585a38ade0e5ad7d6cec0
2229e7f3cabbce4d67cd79c89fd5a100b20e8a99f4a2bf9aac77a978f49eb520
| Tactic ID | Technique ID |
|---|---|
| TA0001 - Initial Access | T1190 - Exploit Public-Facing Application |
| TA0005 - Stealth | T1564 - Hide Artifacts<br>T1027 - Obfuscated Files or Information |
| TA0007 - Discovery | T1016 - System Network Configuration Discovery<br>T1046 - Network Service Scanning |
| TA0011 - Command and Control | T1071 - Application Layer Protocol |
| TA0010 - Exfiltration | T1041 - Exfiltration Over C2 Channel |
Mitigation
- Monitor Linux systems for unauthorized SOCKS5 proxy activity.
- Audit telecom infrastructure for persistent malware implants.
- Restrict unnecessary remote access services and default accounts.
- Continuously monitor outbound traffic to suspicious C2 infrastructure.
- Investigate hidden or unusual Linux processes and ELF binaries.
Apply security patches to internet-facing systems immediately after disclosure.
Instantly Fix Risks with Saner Patch Management
Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.