China-Linked Showboat Malware Targets Telecom Firms With Linux Persistence

A China-linked Linux malware framework called Showboat has been used in a long-running cyber-espionage campaign against telecommunications organizations. The malware was disclosed by Black Lotus Labs, which said the campaign has been active since at least mid-2022.

Showboat is not ransomware. It is a modular post-exploitation framework designed to keep quiet access inside Linux systems, transfer files, launch remote shells, and act as a SOCKS5 proxy for deeper network movement.

Picus Security later analyzed the same threat and warned that Showboat’s stealth techniques make it difficult for traditional security tools to detect, especially on Linux servers that lack strong endpoint monitoring.

Showboat gives attackers long-term access to Linux telecom systems

Showboat targets AMD x86-64 Linux systems, which are common in server and telecom environments. Lumen said the malware was deployed in activity against telecommunications providers in the Middle East and also impersonated telecom firms in Southeast Asia.

The campaign has been linked to at least one, and likely several, activity clusters aligned with the People’s Republic of China. Lumen based that assessment on global telemetry, shared tooling patterns, and command-and-control infrastructure correlated with Chengdu, China.

The malware’s purpose is persistence and access, not immediate destruction. Once installed, it can help operators map internal systems, move through the network, and use the compromised host as a proxy into machines that do not face the internet.

Item	Details
Malware name	Showboat
Platform	AMD x86-64 Linux systems
Threat type	Modular post-exploitation framework
Known activity	Active since at least mid-2022
Primary sector	Telecommunications
Reported capabilities	Remote shell, file transfer, process hiding, C2 management, and SOCKS5 proxying

How Showboat communicates with its command server

After execution, Showboat contacts an embedded command-and-control server and retrieves an encrypted configuration file. The configuration uses XOR encryption with the hardcoded key “look me, AV!”

Once decrypted, the configuration can reveal the server address, port, proxy settings, and sleep intervals. Instead of beaconing at fixed times, Showboat can randomize its sleep period to make network activity harder to spot.

The malware collects host information such as hostname, operating system details, running processes, process data, and a desktop screenshot. It then sends that information back to the command server as an encrypted and base64-encoded string hidden inside a PNG field.

Linux persistence makes Showboat harder to find

One of Showboat’s most important features is its hide command. The malware can retrieve a C source file from Pastebin, compile it on the infected system, and use the Linux dynamic linker preload mechanism to hide malicious activity.

This technique lines up with MITRE ATT&CK Dynamic Linker Hijacking, where attackers abuse linker behavior such as LD_PRELOAD or preload files to load malicious shared libraries before legitimate ones.

On Linux, this can let malware hook system functions such as readdir and hide processes or files from tools like ps, top, and ls. For administrators, that means the system may look normal even while the implant continues running.

• Showboat can hide its own processes from common Linux monitoring tools.
• It can fetch and compile a shared object on the victim system.
• It abuses Linux preload behavior to hook system calls.
• It can proxy traffic through the compromised server using SOCKS5.
• It can help attackers reach internal systems that are not exposed online.

Why telecom companies are valuable targets

Telecommunications companies carry sensitive communications, routing, subscriber, enterprise, and infrastructure data. A quiet implant inside a telecom provider can support surveillance, network mapping, credential theft, and follow-on access to connected organizations.

Linux systems are also attractive because many telecom and network environments rely on Linux-based servers, appliances, and infrastructure components. Some of these systems do not run the same endpoint detection stack as Windows workstations.

The Lumen report said the campaign shows why defenders should pay closer attention to Linux-based systems as access points into deeper parts of enterprise and carrier networks.

Showboat evaded antivirus detection for months

Showboat was first discovered through a VirusTotal sample submitted on May 5, 2025. At the time, the sample had a zero detection rate, and Lumen said it remained undetected through April 2026.

This is significant because the malware had rootkit-like behavior and post-exploitation capabilities, yet it still avoided traditional antivirus detection. That kind of gap can give advanced attackers months or years of operational space.

Picus also noted that Showboat achieved zero detection across 65 engines when scanned and highlighted its use of XOR encryption, PNG-based data hiding, and Linux persistence as key stealth features.

Indicators defenders should monitor

Security teams should treat the following indicators as starting points for hunting. They should also monitor behavior because advanced operators can change filenames, domains, and scripts quickly.

Type	Indicator	Why it matters
Domain	telecom.webredirect[.]org	C2 server address found in a decrypted Showboat configuration
File name	ukpkmkk.c	C source file fetched and compiled by the hide command
File name	ukpkmkk.so	Compiled shared library used for stealth
File path	/etc/ld.so.preload	Linux preload mechanism abused to hook system calls
XOR key	look me, AV!	Hardcoded key used to decrypt Showboat configuration data
Process filter	kworkers, dbus, autoupdate	Names used by Showboat’s hiding logic to conceal activity

Detection should focus on behavior, not only file hashes

Defenders should look for suspicious changes to /etc/ld.so.preload, unexpected shared objects on production Linux systems, and unusual compilation activity involving gcc or similar tools. Those signals can reveal attempts to build or load stealth components on the host.

The MITRE ATT&CK guidance for dynamic linker hijacking recommends monitoring LD_PRELOAD abuse, suspicious shared library creation, and abnormal process behavior linked to hooked libc functions.

Network monitoring also matters. Showboat’s randomized beaconing and PNG-style data smuggling can make traffic look less obvious, but defenders can still hunt for strange outbound patterns from Linux servers that should not be contacting unfamiliar external infrastructure.

1. Monitor /etc/ld.so.preload for unauthorized changes.
2. Alert on unexpected .so files created in temporary or user-writable directories.
3. Review production Linux servers for suspicious gcc use.
4. Watch for outbound traffic from servers that do not normally communicate externally.
5. Hunt for SOCKS5 proxy behavior inside telecom or enterprise networks.
6. Compare process listings from multiple telemetry sources to catch hidden processes.
7. Use file integrity monitoring on critical Linux configuration paths.
8. Investigate servers showing randomized low-volume beaconing patterns.

Showboat fits a wider pattern of Linux-focused espionage

Showboat is part of a broader shift in advanced threat activity toward Linux servers, edge systems, routers, and network infrastructure. These systems often sit in trusted positions and may receive less monitoring than user endpoints.

For telecom defenders, the lesson is clear. Linux servers need endpoint telemetry, configuration monitoring, network anomaly detection, and regular threat hunting, especially when they provide access to internal routing, management, or customer-facing systems.

Showboat’s long dwell time also shows why organizations should test controls against real attacker behavior. Simulating Linux persistence, proxying, stealth, and command-and-control behavior can reveal whether security tools catch the attack before it becomes a long-term espionage foothold.

FAQ