Showboat Linux Malware Hits Middle East Telecom with SOCKS5 Proxy Backdoor

Cybersecurity researchers have disclosed details of a new Linux malware dubbed Showboat that has been put to use in a campaign targeting a telecommunications provider in the Middle East since at least mid-2022. "Showboat is a modular post-exploitation framework designed for Linux systems, capable of spawning a remote shell, transferring files, and functioning as a SOCKS5 proxy," Lumen

Researchers report a new modular Linux post-exploitation framework, Showboat, used by China‑aligned threat actors against Middle East and APAC telecom providers, providing remote shell, file transfer, stealth persistence, and SOCKS5 proxying for lateral movement within internal networks.[1][2] A companion Windows implant, JFMBackdoor, delivers extensive espionage capabilities including reverse shell, file and process control, TCP proxying, and screenshot capture via a DLL sideloading chain.[1][2] From a CyberSE.AI perspective, these implants pose an AI supply chain risk because the same telecom and data-center infrastructure often hosts or routes traffic for AI models and agents; a SOCKS5 pivot with long-term persistence could give adversaries indirect access to AI training data, model APIs, or orchestration layers. Organizations running AI workloads on shared Linux/Windows infrastructure should strengthen SBOM and supply-chain visibility, harden remote access paths, and implement continuous compromise assessment around AI hosting environments to reduce the blast radius of such post‑exploitation frameworks.