Full Report
Cybersecurity researchers have disclosed details of a new Linux malware dubbed Showboat that has been put to use in a campaign targeting a telecommunications provider in the Middle East since at least mid-2022. "Showboat is a modular post-exploitation framework designed for Linux systems, capable of spawning a remote shell, transferring files, and functioning as a SOCKS5 proxy," Lumen
Analysis Summary
# Tool/Technique: Showboat
## Overview
Showboat is a modular post-exploitation framework and backdoor designed for Linux systems. It is primarily used to establish a persistent foothold within a network, allowing threat actors to conduct internal reconnaissance, pivot through local networks via proxying, and exfiltrate data. It has been active since at least mid-2022 and is associated with China-nexus threat activity.
## Technical Details
- **Type:** Malware family (Modular Framework / Backdoor)
- **Platform:** Linux (ELF binary)
- **Capabilities:** Remote shell access, file transfer (upload/download), internal network scanning, SOCKS5 proxying, and process hiding.
- **First Seen:** Targeted activity detected mid-2022; sample uploaded to VirusTotal in May 2025.
## MITRE ATT&CK Mapping
- **TA0003 - Persistence**
- T1548.001 - Abuse Elevation Control Mechanism: Setuid and Setgid (Rootkit-like capabilities)
- **TA0005 - Defense Evasion**
- T1564.001 - Hide Artifacts: Hidden Files and Directories
- T1027 - Obfuscated Files or Information (Base64 encoding/Encryption)
- **TA0007 - Discovery**
- T1082 - System Information Discovery
- T1046 - Network Service Scanning
- **TA0008 - Lateral Movement**
- T1090.002 - Proxy: External Proxy (SOCKS5 functionality)
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols (C2 over HTTP/S)
- T1001.002 - Data Staging: Steganography (Data hidden in PNG fields)
## Functionality
### Core Capabilities
- **Information Gathering:** Collects detailed host system information and transmits it to the C2 server.
- **File Management:** Supports both uploading operational tools to the victim and downloading (exfiltrating) sensitive files.
- **Remote Shell:** Spawns a remote shell for interactive command execution on the compromised Linux host.
- **Data Encoding:** Uses Base64 encoding and encryption to wrap exfiltrated data, often embedding it within PNG file fields to bypass traffic analysis.
### Advanced Features
- **SOCKS5 Proxy:** Enables the attacker to use the compromised host as a pivot point to reach internal LAN segments not exposed to the internet.
- **Stealth and Rootkit Capabilities:** Employs techniques to conceal its presence from process lists. It has been observed retrieving code snippets from Pastebin to assist in self-hiding.
- **Modular Design:** Functionality is organized as a framework, suggesting it can be updated or expanded with different modules as needed.
## Indicators of Compromise
- **File Hashes:**
- SHA256: `d6a4fad5448838dbc8cc6b33f1dbfbdc7a2fad36de58ff6a66dce96f729f7011`
- **File Names:** Artifact tracked as `EvaRAT` by some vendors.
- **Network Indicators:**
- C2 communication geolocated to Chengdu, China.
- Usage of Pastebin `hXXps://pastebin[.]com` for hosting/retrieving stealth code snippets.
- Specific X.509 certificates used for C2 infrastructure.
- **Behavioral Indicators:** Unexpected ELF binaries initiating SOCKS5 proxy traffic or network scanning from a server.
## Associated Threat Actors
- **China-Nexus Activity Clusters:** Highly likely used by multiple groups (resource pooling via a "digital quartermaster").
- **UAT-8302:** Linked via infrastructure or shared tooling overlaps (similar to PlugX/ShadowPad).
## Detection Methods
- **Signature-based detection:** Detection of the specific ELF binary (EvaRAT/Showboat).
- **Behavioral detection:** Monitoring for processes that hide themselves from standard utilities like `ps` or `top`. Watching for abnormal internal port scanning (SOCKS5 activity) originating from Linux servers.
- **Network Defense:** Monitoring for Base64 strings or encrypted blobs hidden within legitimate-looking image (PNG) file transfers.
## Mitigation Strategies
- **Prevention measures:** Ensure Linux systems are patched against known vulnerabilities to prevent the initial infection that leads to post-exploitation framework deployment.
- **Hardening recommendations:** Implement EDR/XDR for Linux to monitor system calls and process integrity. Restrict outbound connections from servers to known-good IP addresses only.
- **Access Control:** Enforce least privilege to prevent the malware from utilizing its rootkit-like capabilities.
## Related Tools/Techniques
- **PlugX / ShadowPad:** Often distributed by the same "digital quartermaster" infrastructure.
- **NosyDoor:** Another Linux backdoor used by similar threat actors.
- **EvaRAT:** Alternate industry name for the Showboat artifact.