Showboat: Linux Backdoor with SOCKS5 Targets Middle Eastern Telecom

Colleagues — a heads-up for the infosec community: we identified Showboat, a modular Linux backdoor with SOCKS5, used against a telecom provider since 2022.
- Lumen/Black Lotus Labs: remote shell, file transfer, SOCKS5; Kaspersky tags it as EvaRAT.
- C2 links point to clusters tied to China (IPs in Chengdu); exfiltrated data embedded in PNGs (Base64); payload fetched from Pastebin (Jan 2022).
- Victims: Afghanistan, Azerbaijan; similar infrastructure tied to compromises in the US and Ukraine.
Recommendations: monitor outbound connections, audit ELF binaries, and segment networks.
Why it matters: Showboat provides persistent access and intra‑LAN proxying.
What measures are you taking against such implants?
#cybersecurity #Linux #threatintel #incidentresponse


Latest comments
No comments yet.