TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources THREAT INTELLIGENCE CYBERATTACKS & DATA BREACHES CYBER RISK ENDPOINT SECURITY NEWS Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific Chinese APTs Share Linux Backdoor in Central Asia Telco Attacks "Showboat" doesn't show off, but clearly it doesn't need to, as it's long helped China spy on small market communications providers. Nate Nelson,Contributing Writer May 21, 2026 4 Min Read SOURCE: MARK SUMMERFIELD VIA ALAMY STOCK PHOTO For years now, Chinese state-aligned hackers have been spying on telecommunications companies in Central Asia and beyond, using a newly discovered Linux post-exploitation framework. The malware is called "Showboat," or "kworker." Black Lotus Labs observed different clusters of Showboat activity against totally dissimilar targets — from an Internet service provider (ISP) in Afghanistan to an unknown IP in the disputed Donbas region of eastern Ukraine — suggesting that Chinese advanced persistent threats (APTs) are trading it around. At least one of those APTs is Calypso, according to PricewaterhouseCoopers (PwC). First observed in 2019, Calypso is one of China's lesser-discussed espionage groups, perhaps because its activity occurs in countries where Western cybersecurity companies have less visibility on average: Afghanistan, Kazakhstan, Turkey, and India, for example. Calypso uses Showboat alongside a Windows backdoor of roughly similar sophistication, called "JFMBackdoor." Related:Tropic Trooper APT Takes Aim at Home Routers, Japanese Targets The Showboat Exploitation Framework Showboat is a useful but unexceptional spy tool, which makes it all the more surprising that Chinese threat groups have used it in total secrecy, gathering what might amount to serious geopolitical intelligence for four years running. Its most significant trick, arguably, is its ability to scan for and then infect devices on a local area network (LAN) that aren't otherwise connected to the public Internet. "So if you do happen to find this in your network, there's probably a whole lot of other bad stuff in the network, and you're about to have a very long weekend," says Danny Adamitis, principal information security engineer at Black Lotus Labs. Though perfectly capable, Showboat hardly goes toe-to-toe with China's top-of-the-line telco malware. BPFdoor, for example, is an expert in living-off-the-land, almost imperceptibly concealing its command-and-control (C2) traffic in HTTPS requests and Internet Control Message Protocol (ICMP) pings. In Adamitis' assessment, Showboat "is not the best backdoor I've ever seen. To me this feels like almost a newer version of a ShadowPad where it's just [notable for] kind of cool capabilities." Yet Showboat's banality could be as much a design feature as a flaw. After all, why invest in a highly complex, bespoke tool when something simple and easy gets the job done? Evidence suggests that the malware has been around since at least mid-2022, but by the time the researchers got to it this year, it registered a grand total of zero detections on VirusTotal (VT): as little as any ultra-stealthy, bespoke, native spy multitool that even the best Typhoon has access to. Related:Africa Relinquishes Cyberattack Lead to Latin America — For Now "You don't necessarily always have to write your backdoors exclusively in assembly and do a weird matching packet thing over ICMP," Adamitis says. "It appears as though they're still having a moderate degree of success with something that, in my mind, is a little bit more run of the mill." Where Showboat isn't the right tool, the threat actors that use it can dip into a pool of malware shared broadly among Chinese threat actors. "Red Lamassu (a.k.a. Calypso) has historically used PlugX, a malware family widely shared and reused across multiple China-based threat actors," notes PwC threat intelligence analyst Daniel van Apeldoorn. These days, he adds, "it can tailor its toolset, deploying a Linux backdoor in Linux-heavy environments (such as telecommunications infrastructure, which often runs on Unix-based systems) and a Windows backdoor when targeting corporate or enterprise environments where Windows is dominant." China's Malware Experiments Black Lotus Labs researcher Ryan English expands on Adamitis' point. "What China likes to do is they'll designate certain parts of the world as kind of a laboratory. They'll test [malware] against perfectly updated virtual systems, then they'll bring it out into the real world in a small market test. Does this work against that bank in Africa? Does this work against that telco in Vietnam? And if it does, they're feeling more confident to bring it out to more serious targets." Related:Russia's Forest Blizzard Nabs Rafts of Logins via SOHO Routers At least some of the data seems to support the interpretation that Showboat was conceived of as a small market solution. Black Lotus Labs tracked multiple, apparently separate Chinese threat clusters passing it around, without committing to it for long, high-value campaigns against any targets of supreme value. For example, one threat cluster seemed to use Showboat rather randomly, connecting at different times to IP addresses in the US and in the Donbas region. Another deployed it against organizations in countries with less mature cybersecurity on average: an ISP from Afghanistan, and other unnamed victims in Azerbaijan and the Middle East. Meanwhile, the Calypso activity tracked by PwC targeted a telecommunications provider in Afghanistan. English speculates that Showboat might have found success in these smaller markets. "Somebody said: Perfect is the enemy of good enough. And they let it run. I think that they were probably being economical with that." Read more about: DR Global Asia Pacific About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and award-winning scriptwriter. In addition to Dark Reading he writes for Darknet Diaries, the most popular show in cybersecurity across all media. He began his career as a freelancer, ghostwriting Forbes and CNBC op-eds for executives in tech and finance. Then he transitioned to journalism at Threatpost, where he covered cybersecurity news and trends. Throughout those years he co-created a cybersecurity podcast, Malicious Life, which in its day climbed into the Top 20 technology podcasts charts on Apple Podcasts and Spotify. He holds degrees from New York University and Bard College. As a born and bred New Yorker, he enjoys a superiority complex, but is polite enough to keep it to himself. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management Access More Research Webinars Building SecOps That Make the Most of Every Dollar AI-Powered Credential Security: Intelligence Without Exposure AI-Powered Cybersecurity for Resource-Constrained Organizations How Security Teams should apply Threat Intelligence into their Defenses Your Guide to Securing AI Adoption in Your Organization More Webinars You May Also Like THREAT INTELLIGENCE Hackers Target Cybersecurity Firm Outpost24 in 7-Stage Phish by Jai Vijayan MAR 17, 2026 THREAT INTELLIGENCE Iran's Cyber-Kinetic War Doctrine Takes Shape by Alexander Culafi MAR 06, 2026 THREAT INTELLIGENCE React2Shell Exploits Flood the Internet as Attacks Continue by Rob Wright DEC 12, 2025 THREAT INTELLIGENCE Chinese Gov't Fronts Trick the West to Obtain Cyber Tech by Nate Nelson, Contributing Writer OCT 06, 2025 Editor's Choice THREAT INTELLIGENCE From Stuxnet to ChatGPT: 20 News Events That Shaped Cyber byDark Reading Editorial Team MAY 6, 2026 31 MIN READ CYBER RISK Physical Cargo Theft Gets a Boost From Cybercriminals byRobert Lemos MAY 4, 2026 5 MIN READ CYBER RISK NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later byDark Reading Editorial Team APR 28, 2026 Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE RSAC 2026: key news & insights At RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much more Get Your Recap Webinars Building SecOps That Make the Most of Every Dollar THURS, JULY 9, 2026 AT 1PM EST AI-Powered Credential Security: Intelligence Without Exposure WED, JUNE 17, 2026, AT 1PM EST AI-Powered Cybersecurity for Resource-Constrained Organizations THURS, JUNE 18, 2026, AT 1PM EST How Security Teams should apply Threat Intelligence into their Defenses THURS, JUNE 11, 2026 AT 1PM EST Your Guide to Securing AI Adoption in Your Organization TUES, JUNE 9, 2026 AT 1PM EST More Webinars BLACK HAT USA | MANDALAY BAY, LAS VEGAS The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass. GET YOUR PASS Discover More Black Hat Omdia Working With Us About Us Advertise Reprints Join Us NEWSLETTER SIGN-UP Follow Us Copyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network th