Cybersecurity researchers have revealed details of a new Linux malware dubbed floating theater It has been used in a campaign targeting a telecommunications provider in the Middle East since at least mid-2022.
“Showbot is a modular post-exploitation framework designed for Linux systems, capable of spawning a remote shell, transferring files, and acting as a SOCKS5 proxy,” Lumen Technologies’ Black Lotus Labs said in a report shared with The Hacker News.
It has been assessed that the malware is employed by at least one, and possibly more, threat activity groups affiliated with China, identifying a correlation between command-and-control (C2) nodes and IP addresses located in Chengdu, the capital of the Chinese province of Sichuan.
One such threat actor is Calypso (aka Bronze Medley and Red Lamassu), known to be active since at least September 2016, targeting state institutions in Brazil, India, Kazakhstan, Russia, Thailand, and Turkey. It was first publicly documented by Positive Technologies in October 2019.
Some of the key tools in its arsenal include PlugX and backdoors like Whitebird and BYEBY, the latter of which is part of a broader cluster tracked by ESET under the MikroScene moniker. The use of Microsyn is known as SixlittleMonkeys, which, in turn, shares strategic overlap with another group linked to China called Webworm.
This puts Showbot in line with other shared frameworks like PlugX, Shadowpad, and NosyDoor that have been used by several China-nexus groups. This “resource pooling” reinforces the presence of a digital quartermaster that China’s state-sponsored threat actors rely on to supply them with the tooling they need.
The starting point of the investigation was an ELF binary that was uploaded to VirusTotal in May 2025. The malware scanning platform classified it as a sophisticated Linux backdoor with rootkit-like capabilities. Kaspersky is tracking this artifact as EvaRAT.
Danny Adamitis, a security researcher at Black Lotus Labs, told The Hacker News that the exact initial access vector used to distribute the malware is currently unknown. However, in the past, Calypso has been seen taking advantage of the ASPX web shell after exploiting a flaw or breaking into the default account used for remote access.
The rival was one of the first China-aligned groups to weaponize CVE-2021-26855, a security vulnerability in Microsoft Exchange Server that serves as the first step in an exploit chain called ProxyLogon.
The malware is designed to contact the C2 server, gather system information, and send it back to the server in a PNG field as an encrypted and Base64-encoded string. It is also equipped to upload and download files from the host machine, hide its presence from the process list, and manage C2 servers.
To disguise itself on the host machine, Showbot retrieves a code snippet hosted on Pastebin. Paste was created on January 11, 2022. Additionally, the malware can scan other devices and connect to them through the SOCKS5 proxy. This suggests that Showbot’s primary objective is to gain a foothold on compromised systems.
Black Lotus Labs said, “This will allow attackers to interact with machines that are not publicly exposed to the Internet and are only accessible through the LAN.”
Further infrastructure analysis revealed two victims: an Afghanistan-based Internet Service Provider (ISP) and another unknown entity based in Azerbaijan. A secondary C2 cluster using the same X.509 certificates as the original C2 servers has revealed a possible compromise of two in the US and one in Ukraine.
“While some threat actors are increasingly using covert, native system tools to avoid detection, others are still persistently deploying malware implants,” Adamitis said. “The presence of such threats should be taken as an early warning signal, indicating the potential for broader and more serious security issues within the affected network.”
A fully featured Windows implant codenamed JFMBackdoor, used by Calypso in a campaign targeting a telecommunications provider in Afghanistan, is distributed via DLL side-loading.
The attack chain involves a batch script that is used to launch a legitimate executable that then loads the rogue DLL. JFMBackdoor supports a wide range of capabilities, including remote shell access, file operations, network proxying, screenshot capture, and self-removal.
“Targeting Afghanistan and its telecommunications sector is certainly consistent with Red Lamassu’s broader operational goals and objectives,” PricewaterhouseCoopers (PwC) said in a coordinated report.
