Chinese APTs Share Linux Backdoor in Telco Attacks

Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific

"Showboat" doesn't show off, but clearly it doesn't need to, as it's long helped China spy on small market communications providers.

May 21, 2026

For years now, Chinese state-aligned hackers have been spying on telecommunications companies in Central Asia and beyond, using a newly discovered Linux post-exploitation framework.

The malware is called "Showboat," or "kworker." Black Lotus Labs observed different clusters of Showboat activity against totally dissimilar targets — from an Internet service provider (ISP) in Afghanistan to an unknown IP in the disputed Donbas region of eastern Ukraine — suggesting that Chinese advanced persistent threats (APTs) are trading it around.