A newly discovered malware family – dubbed “Showboat” – is targeting telecom providers worldwide in what researchers say is part of a stealth cyber espionage campaign likely linked to Chinese nation-state actors.
-
Researchers uncovered a new malware family called “Showboat” targeting international telecom providers in a stealth cyber campaign.
-
The malware appears designed for long-term hidden access inside telecom infrastructure, raising espionage and surveillance concerns.
-
The findings land as US officials continue warning about China-linked telecom hacks, including the sprawling Salt Typhoon campaign.
New research dropped on Thursday by Black Lotus Labs, the threat intelligence arm of Lumen Technologies, found the Linux-based malware has already impacted a Middle East telecom provider and impersonated another in South Asia.
Researchers say the covert Showboat campaign has been ongoing since at least mid-2022, tracing it back to the People's Republic of China.
“Telecoms are not another enterprise target. They’re incredibly attractive to espionage groups who can gain visibility into and control over the systems that connect one organization to another,” Pete Luban, Field CISO at AttackIQ, tells Cybernews.
Black Lotus further describes the China-linked advanced persistent threat (APT) as a “modular post-exploitation framework, capable of spawning a remote shell, transferring files, and functioning as a Socks5 proxy.”
Basically, Showboat was designed to quietly blend into legitimate network activity – avoiding detection and giving attackers long-term access to targeted telecom infrastructure.
Showboat pushes deeper into networks
According to the Black Lotus blog, the malware functions as a proxy, interacting with machines deeper within the network and staying hidden from system administrators.
Besides moving files and routing malicious traffic through the infected environment, it can also directly communicate with the group’s command-and-control (C2) infrastructure.
The researchers also noted the malware appears modular, meaning operators can deploy different capabilities depending on the target and operational goals.
Luban says Showboat is a good example of why defenders need to think beyond individual malware samples.
“The bigger issue is the path the malware opens once it lands. If attackers can hide processes, move files, proxy traffic, and reach deeper systems, then one compromised Linux host can become a bridge into much more sensitive areas of the network,” the CISO explains.
Luben adds that for telecoms, the risk carries extra weight because of the dependence that downstream customers and partners have on them.
“Security teams need to validate whether their defenses can actually break those paths. A long list of findings is not enough. The question is whether the controls hold when an adversary behaves this way,” he said.
Red Lamassu enters the picture
Meanwhile, PricewaterhouseCoopers’ (PwC) Threat Intelligence group released its own blog post Thursday in collaboration with Black Lotus, highlighting what appears to be a broader campaign focusing on the “Windows-oriented elements of the operation.”
The campaign, run by the China-based threat actor known as Red Lamassu, or Calypso APT, has also targeted telecommunications and government entities since 2019 across the Asia Pacific region, PwC said.
Likely operating out of Sichuan Province, the group is said to use a “fully featured Windows backdoor” – named JFMBackdoor – delivered via DLL side-loading and capable of “remote shell access, file operations, network proxying, screenshot capture, and self-removal.”
Building on the newly reported malware findings, Gilad Friedenreich Maizles, security researcher at SecurityScorecard, shows how the company’s in-house infrastructure-tracking system can reveal adversary infrastructure beyond what is initially reported.
“Our Driftnet analysis expanded on the public reporting by pivoting from a TLS certificate fingerprint tied to the reported Red Lamassu and Showboat infrastructure,” Maizles tells Cybernews.
While PwC associated the certificate with Red Lamassu infrastructure, and Lumen used the same fingerprint to cluster Showboat C2 nodes, Maizles says Driftnet observed 14 additional IP addresses presenting the “same exact certificate, with the exact same thumbprint.”
Those addresses should be treated as additional suspected Showboat C2 servers, he explains.
Maizles says, “A single certificate, IP, or hosting pattern can help defenders uncover additional adversary-controlled infrastructure and take action faster, helping telecom providers and the organizations that rely on them reduce downstream risk across governments, enterprises, and individuals."
New malware echoes familiar China-linked tactics
The discovery comes amid repeated warnings by US officials about Beijing’s sophisticated cyber operations targeting telecommunications infrastructure worldwide.
“Satellite and telecommunications providers continue to be a strategic target for nation-state threat actors, especially those in geographical proximity to major powers,” the researchers warn.
And with Black Lotus noting that the threat actors behind Showboat appear more interested in maintaining stealth access than causing immediate disruption, the activity echoes the same playbook used by other China-linked state actors.
Although researchers did not publicly attribute Showboat to a specific threat group, they did say the activity overlaps with typical tactics, techniques, and procedures (TTPs) observed in other known China-linked nation-state groups.
That includes Salt Typhoon, which security insiders say has been hiding out for years inside more than half a dozen major US telecom companies, quietly siphoning reams of data on everyone from private citizens to high-ranking government officials.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked