A sophisticated malware known as ‘Showboat’ has been targeting telecom companies across the Middle East since 2022, according to cybersecurity firm Picus Security.
Researchers said that this Linux-based malware remained undetected by antivirus software for years, with all 65 antivirus engines on VirusTotal failing to detect the malware when it was scanned in May 2025.
Unlike ransomware, Showboat does not encrypt files or demand payment. Instead, it gives attackers long-term access to infected systems, allowing them to gather information and control networks unnoticed.
Researchers believe the malware is linked to China-backed threat groups. The assessment is based on command-and-control infrastructure traced to Chengdu and similarities to other known Chinese cyber-espionage operations.
Showboat collects system information, running processes, and screenshots from infected devices. The stolen data is encrypted and hidden inside image files before being sent to attacker-controlled servers. The malware also includes advanced stealth features that can hide its processes from common Linux monitoring tools.