China-Linked Showboat Malware Targets Telecom via Linux
A sophisticated, China-linked malware framework has been quietly active for nearly four years, systematically targeting telecom companies across the Middle East. This persistent and stealthy...
A sophisticated, China-linked malware framework has been quietly active for nearly four years, systematically targeting telecom companies across the Middle East. This persistent and stealthy operation represents a long-term espionage campaign aimed at critical infrastructure within the region.
Showboat is a Linux-based tool that stayed completely hidden from antivirus systems until April 2026, raising serious concerns about the security of critical communications infrastructure worldwide.
Showboat is not your typical piece of malicious software, as it does not lock files or demand ransom. Instead, it gives attackers silent, long-term control over infected systems and the networks connected to them.
The malware runs on AMD x86-64 Linux machines, making it especially dangerous for the kind of servers that telecom companies depend on.
Security researchers at Picus uncovered and documented this threat in a report shared with Cyber Security News (CSN). They found that Showboat had been active since mid-2022 and evaded all 65 antivirus engines on VirusTotal when scanned in May 2025.
That level of invisibility allowed attackers to operate freely inside telecom networks for close to four years without triggering a single alarm.
Analysts attribute the malware with moderate-to-high confidence to threat groups backed by China. This attribution rests on command-and-control infrastructure traced back to Chengdu, China.
The tactics and tools used also closely mirror those seen in other known Chinese advanced persistent threat operations currently active across the region.
The malware has been deployed exclusively against telecommunications companies in the Middle East, a pattern that points to a deliberate, long-running espionage campaign.
Telecom providers handle enormous amounts of sensitive communications data, making them high-value targets for nation-state actors seeking sustained intelligence access.
The narrow geographic and industry focus leaves little doubt about the strategic nature of these attacks.
China-Linked Showboat Malware
Once Showboat runs on a victim machine, it pulls an encrypted configuration file from its built-in command-and-control server.
The configuration is scrambled using a simple XOR cipher with the hardcoded key “look me, AV!” — a phrase that almost feels taunting toward security tools.
Once decoded, the config reveals the server address, port settings, and randomized sleep intervals used between check-ins.
Rather than pinging its server at fixed intervals, which would be easy to flag, Showboat randomizes the wait time between connections. It collects host details including the system name, operating system information, running processes, and even captures a screenshot.
All of that data gets encrypted, encoded in base64, and hidden inside a PNG image field before being sent out, making the traffic appear completely harmless.
What makes Showboat especially hard to spot is its “hide” command. When triggered, it fetches a small C source file from a Pastebin page set up by the attackers, compiles it on the victim’s machine, and uses a Linux feature called ld.so.preload to hook system calls.
This makes the malware’s own processes completely invisible to standard tools like ps and top, which administrators use to monitor server activity.
Evasion Techniques and Stealth Design
Showboat’s design reflects a high level of craft, with every major feature built around staying hidden. Its XOR encryption, randomized beaconing, and PNG-based data smuggling all work together to fool both automated security tools and analysts reviewing network logs.
The hardcoded process filter list, which hides entries named “kworkers,” “dbus,” and “autoupdate,” adds yet another layer by mimicking the names of normal system processes.
The framework supports standard remote access features including file transfers, directory changes, and long-term persistence setup.
The combination of stealth techniques stacked together is what truly sets Showboat apart from most malware in the wild. Remaining undetected for roughly four years is strong proof that layered evasion methods can outlast traditional defenses for a very long time.
Security teams are strongly encouraged to simulate Showboat attack scenarios to check whether their existing controls can detect this kind of threat.
Testing against real malware behavior, across both network infiltration and email delivery paths, gives defenders a sharper view of where the actual gaps are and what needs to be fixed before attackers find those openings first.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| Domain | telecom.webredirect[.]org | C2 server address found in Showboat’s decrypted configuration file |
| File Name | ukpkmkk.c | C source file fetched from Pastebin by the “hide” command and compiled on the victim machine |
| File Name | ukpkmkk.so | Compiled shared library injected via ld.so.preload to hide malicious processes |
| File Path | /etc/ld.so.preload | Linux persistence mechanism abused by Showboat to hook system calls at startup |
| XOR Key | look me, AV! | Hardcoded XOR key used to decrypt Showboat’s configuration file |
| Process Filter | kworkers|dbus|autoupdate | Hardcoded process names filtered by Showboat’s rootkit to conceal itself from ps and top |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.