China-Linked Showboat Malware Uses Linux Persistence to Target Telecom Companies
A stealthy China-linked malware framework called Showboat has been targeting Middle Eastern telecom companies since mid-2022, evading all 65 AV engines on VirusTotal until April 2026.
A sophisticated China-linked malware framework has been quietly targeting telecom companies across the Middle East for nearly four years. Showboat is a Linux-based tool that stayed completely hidden from antivirus systems until April 2026, raising serious concerns about the security of critical communications infrastructure worldwide.
Showboat is not your typical piece of malicious software, as it does not lock files or demand ransom. Instead, it gives attackers silent, long-term control over infected systems and the networks connected to them. The malware runs on AMD x86-64 Linux machines, making it especially dangerous for the kind of servers that telecom companies depend on. Security researchers at Picus uncovered and documented this threat in a report shared with Cyber Security News. They found that Showboat had been active since mid-2022 and evaded all 65 antivirus engines on VirusTotal when scanned in May 2025. That level of invisibility allowed attackers to operate freely inside telecom networks for close to four years without triggering a single alarm.
Analysts attribute the malware with moderate-to-high confidence to threat groups backed by China. This attribution rests on command-and-control infrastructure traced back to Chengdu, China. The tactics and tools used also closely mirror those seen in other known Chinese advanced persistent threat operations currently active across the region. The malware has been deployed exclusively against telecommunications companies in the Middle East, a pattern that points to a deliberate, long-running espionage campaign. Telecom providers handle enormous amounts of sensitive communications data, making them high-value targets for nation-state actors seeking sustained intelligence access.
Once Showboat runs on a victim machine, it pulls an encrypted configuration file from its built-in command-and-control server. The configuration is scrambled using a simple XOR cipher with the hardcoded key "look me, AV!" — a phrase that almost feels taunting toward security tools. Once decoded, the config reveals the server address, port settings, and randomized sleep intervals used between check-ins. Rather than pinging its server at fixed intervals, which would be easy to flag, Showboat randomizes the wait time between connections. It collects host details including the system name, operating system information, running processes, and even captures a screenshot. All of that data gets encrypted, encoded in base64, and hidden inside a PNG image field before being sent out, making the traffic appear completely harmless.
What makes Showboat especially hard to spot is its "hide" command. When triggered, it fetches a small C source file from a Pastebin page set up by the attackers, compiles it on the victim's machine, and uses a Linux feature called ld.so.preload to hook system calls. This makes the malware's own processes completely invisible to standard tools like ps and top, which administrators use to monitor server activity. The hardcoded process filter list, which hides entries named "kworkers," "dbus," and "autoupdate," adds yet another layer by mimicking the names of normal system processes.
Showboat's design reflects a high level of craft, with every major feature built around staying hidden. Its XOR encryption, randomized beaconing, and PNG-based data smuggling all work together to fool both automated security tools and analysts reviewing network logs. The framework supports standard remote access features including file transfers, directory changes, and long-term persistence setup. The combination of stealth techniques stacked together is what truly sets Showboat apart from most malware in the wild.
Security teams are strongly encouraged to simulate Showboat attack scenarios to check whether their existing controls can detect this kind of threat. Testing against real malware behavior, across both network infiltration and email delivery paths, gives defenders a sharper view of where the actual gaps are and what needs to be fixed before attackers find those openings first. The discovery of Showboat underscores the persistent and evolving threat from Chinese APT groups targeting critical infrastructure, particularly in the telecommunications sector.