Cybersecurity researchers have disclosed details of a new Linux malware dubbed Showboat that has been put to use in a campaign targeting a telecommunications provider in the Middle East since at least mid-2022. "Showboat is a modular post-exploitation framework designed for Linux systems, capable of spawning a remote shell, transferring files, and functioning as a SOCKS5 proxy," Lumen Technologies Black Lotus Labs said in a report shared with The Hacker News. It's assessed that the malware has been employed by at least one, and possibly more, threat activity clusters affiliated with China, with correlations identified between command-and-control (C2) nodes and IP addresses geolocated to Chengdu, the capital city of the Chinese province of Sichuan. One such threat actor is Calypso (aka Bronze Medley and Red Lamassu), which is known to be active since at least September 2016, targeting state institutions in Brazil, India, Kazakhstan, Russia, Thailand, and Turkey. It was first publicly documented by Positive Technologies in October 2019. Some of the key tools in its arsenal include PlugX and backdoors like WhiteBird and BYEBY, the latter of which is part of a broader cluster tracked by ESET under the moniker Mikroceen. The use of Mikroceen has been attributed to a closer known as SixLittleMonkeys, which, in turn, shares tactical overlaps with another China-linked group referred to as Webworm. This puts Showboat along with other shared frameworks like PlugX, ShadowPad, and NosyDoor that have been used by multiple China-nexus groups. This "resource pooling" reinforces the presence of a digital quartermaster that state-sponsored threat actors from China have relied on to supply them with necessary tooling. The starting point of the investigation was an ELF binary that was uploaded to VirusTotal in May 2025, with the malware scanning platform classifying it as a sophisticated Linux backdoor with rootkit-like capabilities. Kaspersky is tracking the artifact as EvaRAT.