Black Lotus Labs®, the threat research team at Lumen, has uncovered a previously unreported Linux malware family called Showboat, used in a campaign targeting telecommunications organizations across multiple regions. In this post, we break down how the malware works, what our telemetry reveals about the infrastructure behind it, and why these findings matter for defenders tracking persistent threats against critical networks.

Key findings

• Black Lotus Labs identified a new Linux malware family we dubbed “Showboat.” The campaign has been active since at least mid-2022.
• Showboat is a modular post-exploitation framework designed for Linux systems, capable of spawning a remote shell, transferring files and functioning as a Socks5 proxy.
• Multiple threat clusters aligned with the People’s Republic of China (PRC) have been observed using the same post-exploitation frameworks and techniques in recent years. Showboat was in use by at least one, and likely several, PRC-aligned threat activity clusters.
• The campaign impacted a telecommunications provider in the Middle East and impersonated telecom firms in Southeast Asia.
• Black Lotus Labs collaborated with PricewaterhouseCoopers’ Threat Intelligence teams through the research process. We will continue to hunt for samples of this and similar malware to protect our customers and critical infrastructure.

Research overview

Black Lotus Labs discovered a new malware family we have dubbed “Showboat.” Technical artifacts suggest that this campaign has been ongoing since at least mid-2022. Analysis of the malware revealed functions that allow its process to be hidden from system administrators, transfer files and perform Socks5 proxy functions, allowing it to interact with machines deeper within the network. We believe this is the first public reporting of this toolset, one which highlights the persistent targeting of Linux-based systems as access vectors to move deeper into networks.

Using Lumen global telemetry and elements of the network discovered in our research, we believe the malware was used by at least one, and likely several, PRC-aligned activity clusters. At the time of discovery, Showboat was deployed in a campaign against telecommunication providers in the Middle East, and impersonating telecommunications firms in Southeast Asia. Our analysis shows a correlation between command-and-control (C2) nodes and connections associated with IP addresses that correlate to Chengdu, China.

Lumen would like to thank the Cyber Threat Intelligence Team at PricewaterhouseCoopers for their collaboration during this research. Their report on this activity can be found here. Lumen is committed to proactively defending our networks, collaborating with industry partners, and maintaining vigilance against emerging threats to ensure the integrity and reliability of our services.

Background and context

Among China-based threat actors, attribution based solely on tooling has become increasingly difficult given shared national objectives across organizations, along with increased sharing of tools and exploits across actor groups. Shared frameworks such as PoisonIvy, ShadowPad, and more recently NosyDoor, have made attribution through this method increasingly difficult. This notion of resource pooling is reinforced by other reporting. ESET, for example, has reported different PRC-aligned clusters all using the same exploit even when it was a zero-day vulnerability.

We believe that Showboat is the latest post-exploitation framework in use by multiple threat actors aligned with the PRC, and our report reflects the modularity that we and others are observing in the current landscape.

This research covers:

• An analysis of the malware and its functions from a reverse engineering perspective.
• Two different activity clusters, potentially denoting separate campaigns, derived from malware and associated telemetry indicators.

Malware analysis

Our investigation into this campaign began with the malware’s discovery on VirusTotal, triggered by a hit on one of our proactive threat-hunt signatures. As the malware was not directly observed on any live systems, we are unable to comment on the initial access vector or exploit. The sample was compiled for AMD x86-64. When it was submitted to VirusTotal on May 5, 2025, it had a detection rate of zero and remains undetected through April 2026.

The first critical element of Showboat is the configuration file retrieved by the agent to begin installation. The file was XOR-encrypted with a hardcoded key to each byte, using the cheeky phrase: “look me, AV!”

The sample’s first callout is to an embedded C2 server to extract a configuration file (a copy and its breakdown is addressed further in the “Network communications” section of this post). Following extract, it gathers various host configurations, including hostname, operating system information, list of running processes, the process of the agent and a screenshot of the desktop.

The results are then combined with information received from the C2, such as the agent UUID, agent version and sleep intervals. The agent transmits the gathered host-based parameters in a PNG field as an encrypted and base64-encoded string and sends back to the C2 server as shown.

Our analysis revealed several pre-built functions that an operator could call. These functions allow the operators to upload and download files to and from the host machine, hide the agent itself from the process list, obtain persistence as a service, and swap out C2 nodes.

One notable feature is the “hide” command, which enables a process to conceal itself on a host machine by retrieving code stored on external websites such as Pastebin or online forums for use as a “dead drop.” For instance, we found a particular code snippet that was first posted to Pastebin in January 2022. Interactions with this post would likely come from victim systems, as well as from web crawlers, making the “view count” an unreliable indicator of the scale of victimology. The upload date, however, provides a useful reference point for the earliest-seen date of this activity.

Two other network functions that warranted further exploration were the SOCKS5 and portmap functions. These have the same embedded routines except for the URL used in C2 communications. The difference is that one appends the string “SKS” to the URL—likely the SOCKS5 function—while the other function appends “MAP” to the URL, probably with portmap. The actor can first scan for other devices and then connect to them via the Socks5 functionality. The presence of these two functions indicates that the purpose of Showboat is to function as a foothold. This would allow the attackers to interact with machines that are not exposed publicly to the internet and only accessible via the LAN.

Malware: network-based communications

After the initial handshake above to obtain the configuration file and share local host details with the embedded C2, the agent creates a JSON string with information about the infected host, malware version and a unique UUID. This JSON string is “encrypted” using the last 5 digits from the UUID as the key. A copy of a decrypted configuration file is shown below:

SERVER_ADDRESS = telecom.webredirect[.]org

RESOLVE_IP = NULL

SERVER_PORT = 80

PROXY_ADDRESS =

PROXY_PORT = 0

MIN_SLEEP = 5

MAX_SLEEP = 10

SLOW_MODE_MIN_SLEEP = 20

SLOW_MODE_MAX_SLEEP = 25

Resolving this hostname, telecom.webredirect[.]org, identified the C2 node located at IP address 139.84.227[.]139, referred to as the original C2.

Correlated indicators, separate activity clusters and network telemetry

Primary activity cluster

Our investigation took form after extracting the hostname, telecom[.]webredirect[.]org, which provided us with our first active C2 node. We noticed that this IP address, 139.84.227[.]139, had four ports open. The most significant was the self-signed X.509 certificate that used the metadata “My Organization,” whose SHA256 fingerprint started out with 27df475626aafce2ea1548a9f35efb9ad951298c8b11a6adb3ccdfcd5170c677. This fingerprint was the central data point for clustering around what we designate as the “Primary cluster.” (The full list of IP addresses associated with Showboat will be in our GitHub.) We assess with high confidence that all these nodes are associated with Showboat.

Other open ports on 139.84.227[.]139 included 9999, which displayed a Socks5 banner. Next, there was a self-signed x.509 certificate on port 53 (typically associated with DNS) from at least March 15-17, 2025. We hypothesize that the actor could have configured the malware to communicate over port 53 to avoid network security products such as firewalls.

The fourth open port, port 80, had an X.509 certificate present on port 80 with the
SHA256 fingerprint: E28a96f983b8605decd2ac1db16ebad5fa741a6aa4e585a38ade0e5ad7d6cec0. This certificate was also present on and led to a second C2 at IP address 194.135.25[.]132.

Primary cluster interactions with regional telecommunications providers

While pivoting upon network elements associated with the primary cluster, we correlated two IP addresses that hosted domains impersonating regional telecommunications organizations:

• 23.27.201[.]160 which resolved the singtelcom[.]site domain
• 101.36.105[.]222 which resolved the kaztelecom[.]shop domain

Given that two of the domains appeared to mimic specific telecommunications firms, while the original sample contains the generic hostname telecom[.]webredirect[.]org, we can theorize the primary cluster is focused on telecommunications firms, specifically those in Asia. This assessment is also supported by our global telemetry, where we positively confirm at least two victims. We first observed connections from an Outlook server belonging to an Afghanistan-based ISP provider, which communicated with the C2 node 194.135.25[.]132. Connections between these two were seen from December 1, 2025, through February 3, 2026. The second victim identified from the primary cluster geolocated in Azerbaijan.

Possible upstream infrastructure

During our investigation into the primary cluster, we observed one IP address that exhibited the same SHA256 fingerprint as the original C2 but which stood out as it was not correlated to any known VPS provider. This node, 116.169.244[.]208:2096, resolved to China Unicom and roughly geolocated to the region of Chengdu. Since the node was not associated with a VPS, we suspect that this could denote either an upstream IP address or a developer test environment.

Secondary activity clusters and infrastructure

The primary cluster of C2 nodes shared the same SHA256 fingerprint. We expanded the search criteria for similar X.509 certificates that exhibited the same metadata properties, such as the same subject DN and issuer DN, including those that had different SHA256 fingerprints under the suspicion these nodes could be additional Showboat C2s.

Employing a technique like those outlined here by Censys, another 20 C2 nodes were discovered that shared metadata properties, two of which we examine further below. We suspect that the certificate borne by these nodes was likely generated by a common startup script. The use of differing cryptographic values, while retaining core attributes of the certificate, suggests separate campaigns. Each of these C2s had either a single or low number of victims.

These different fingerprints likely denote infrastructure used by other PRC-aligned activity clusters. One notable data point is that we only found one more SHA256 fingerprint, 2229e7f3cabbce4d67cd79c89fd5a100b20e8a99f4a2bf9aac77a978f49eb520, that was observed on two different IP addresses at the same time. All the other suspected C2 nodes had unique SHA256 fingerprints corresponding to a different IP.

We queried the nodes that exhibited the “My Organization” x.509 certificate metadata properties and identified two potential compromises—both stemming from the United States—associated with the C2 at 192.9.141[.]111. The first was active from December 29, 2025, through January 12, 2026, while the second potential victim communicated for approximately one day between November 27 and 28, 2025. Both victims’ traffic was on port 9999, which was associated with the Socks5 proxy service on another C2 node.

An additional C2, 64.176.43[.]209, appeared to communicate with Ukrainian-based IP addresses that geolocated to the disputed territory regions along the western Ukrainian/Russian border. As we have seen in the past, PRC-based actors tend to assign geographical regions to separate activity clusters; we believe with moderate confidence this focus on the Donbas region is another example of shared tooling among distinct groups.

Telecommunications networks remain prime targets for intrusion

Satellite and telecommunications providers continue to be a strategic target for nation-state threat actors, especially those in geographical proximity to major powers. Even when final targets are based in North America, the global interconnectivity of telecommunications firms means that risks can quickly extend worldwide. Because these organizations are essential for transmitting user voice and data, they represent a critical component of any organization’s supply chain.

While some threat actors are increasingly using stealthy, native system tools to evade detection, others still deploy persistent malware implants. The presence of such threats should be taken as an early warning sign, indicating the potential for broader and more serious security issues within affected networks.

As in many of our prior reports, we have seen a shift towards persisting on Linux-based systems and routers, which typically do not run any sort of EDR-based system. Therefore, we encourage organizations to be mindful of their perimeter and continue to monitor events such as east-west traffic from servers that do not clearly map to business processes.

Black Lotus Labs will continue proactively hunting for unique telemetry signals. We will continue to work with the information security community and post updates as we uncover more connections to named activity clusters or interesting data points. We encourage other organizations to report this and share related findings from their observations.

Analysis of showboat was performed by Danny Adamitis, and Steve Rudd with technical editing by Ryan English

Explore more threat intelligence resources

• View current IOCs, which are continuously updated on our GitHub page and continuously updated there. We encourage the community to monitor and alert on these and any similar IOCs.
• Learn how we protect our customers with Lumen Defender^SM.
• Understand modern cyberthreats and what their trajectories signal for the future in our first annual Lumen Defender Threatscape Report.
• Want to collaborate on future research? Connect with us on LinkedIn and X (@BlackLotusLabs).

Discover how Black Lotus Labs’ advanced threat technology identifies and eliminates threats fast, helping to protect your business and keep the internet clean.

_{This content is provided for informational purposes only and may require additional research and substantiation by the end user. In addition, the information is provided “as is” without any warranty or condition of any kind, either express or implied. Use of this information is at the end user’s own risk. Lumen does not warrant that the information will meet the end user’s requirements or that the implementation or usage of this information will result in the desired outcome of the end user. All third-party company and product or service names referenced in this article are for identification purposes only and do not imply endorsement or affiliation with Lumen. This document represents Lumen products and offerings as of the date of issue. Services not available everywhere. Lumen may change or cancel products and services or substitute similar products and services at its sole discretion without notice. © 2026 Lumen Technologies. All Rights Reserved.}

Related resources