The disclosure of "Showboat," a modular Linux malware framework targeting a Middle East telecommunications provider, signals a focused escalation in threats against critical infrastructure. Active since mid-2022, this malware is not merely a script; it is a full-featured post-exploitation framework capable of remote shell access, file transfer, and—most critically for defenders—SOCKS5 proxying.
For SOC analysts and IR responders, the presence of Showboat indicates a compromised node likely being used for lateral movement and data exfiltration. The urgency is high: if you manage Linux assets in the telecom or critical infrastructure sectors, you must assume similar reconnaissance is occurring. This post provides the technical TTPs, detection logic, and remediation steps necessary to hunt for and eradicate this threat.
Technical Analysis
Affected Products & Platforms:
- Platform: Linux (Specific distribution not disclosed, treat as applicable to all enterprise Linux distros).
- Sector: Telecommunications (initially observed in the Middle East).
Malware Capabilities & TTPs: Showboat is a modular framework, meaning its core functionality can be extended via plugins. Based on the intelligence from Lumen, the framework exhibits the following core behaviors:
- Remote Shell Execution: Provides attackers with interactive command-line access to the compromised host, allowing for privilege escalation and reconnaissance.
- File Transfer: Enables the upload and download of files, facilitating the exfiltration of sensitive data or the ingestion of additional malware modules.
- SOCKS5 Proxy: This is the defining characteristic of Showboat. By turning the compromised Linux server into a SOCKS5 proxy, attackers can tunnel traffic through the victim's infrastructure. This obfuscates the source of malicious traffic and allows the attacker to pivot laterally into internal networks that are not directly exposed to the internet.
Exploitation Status:
- Status: Confirmed Active Exploitation (In-the-wild).
- Timeline: Active campaigns since at least mid-2022.
Detection & Response
Given the active nature of this threat and its focus on establishing persistence and C2 channels, detection must focus on anomalous process execution and network socket behavior. Below are detection rules and hunt queries designed to identify the specific TTPs associated with Showboat.
---
title: Potential Linux Proxy or Suspicious Network Listener
id: 8a1b2c3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects processes listening on non-standard high ports or typical proxy ports which may indicate a SOCKS5 proxy implant like Showboat. Focuses on processes not running from standard binary paths.
references:
- https://thehackernews.com/2026/05/showboat-linux-malware-hits-middle-east.html
author: Security Arsenal
date: 2026/05/20
tags:
- attack.command_and_control
- attack.t1090.001
logsource:
category: network_connection
product: linux
detection:
selection:
EventDirection: 'listen'
DestinationPort|in:
- 1080
- 1081
- 1050
- 8888
filter_standard_paths:
Image|startswith:
- '/usr/bin/'
- '/usr/sbin/'
- '/bin/'
- '/sbin/'
condition: selection and not filter_standard_paths
falsepositives:
- Legitimate proxy servers running from custom locations
- Admin-configured tunnels (SSH)
level: high
---
title: Linux Web Server Spawning Shell
id: 9b2c3d4e-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects web server processes spawning shell processes, a common technique for initial access or establishing a reverse shell as seen with frameworks like Showboat.
references:
- https://attack.mitre.org/techniques/T1059/004/
author: Security Arsenal
date: 2026/05/20
tags:
- attack.execution
- attack.t1059.004
- attack.initial_access
- attack.t1190
logsource:
category: process_creation
product: linux
detection:
selection_parent:
ParentImage|endswith:
- '/httpd'
- '/nginx'
- '/apache2'
selection_child:
Image|endswith:
- '/bash'
- '/sh'
- '/zsh'
- '/perl'
- '/python'
condition: selection_parent and selection_child
falsepositives:
- Legitimate administrative CGI scripts
- Server management utilities
level: high
---
title: Suspicious File Execution from Temporary Directories
id: 0c3d4e5f-6a7b-8c9d-0e1f-2a3b4c5d6e7f
status: experimental
description: Detects execution of binaries from /tmp, /var/tmp, or /dev/shm, which is a common behavior for malware dropping payloads or modules.
references:
- https://thehackernews.com/2026/05/showboat-linux-malware-hits-middle-east.html
author: Security Arsenal
date: 2026/05/20
tags:
- attack.defense_evasion
- attack.t1564.001
logsource:
category: process_creation
product: linux
detection:
selection:
Image|startswith:
- '/tmp/'
- '/var/tmp/'
- '/dev/shm/'
condition: selection
falsepositives:
- Developers testing code in tmp
- Installer scripts
level: medium
KQL (Microsoft Sentinel / Defender)
This query hunts for Linux processes establishing outbound network connections, specifically looking for anomalies associated with proxy behavior or reverse shells. It leverages Syslog or DeviceNetworkEvents depending on your ingestion method.
// Hunt for Showboat Linux Malware Network Activity
// Focus on suspicious outbound connections and listening sockets
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where DeviceOS == "Linux"
| where ActionType in ("ConnectionAccepted", "ConnectionInitiated", "ListeningSocket")
// Filter for common proxy ports or high random ports often used by C2
| where RemotePort in (1080, 1081, 443, 8080, 8443) or RemotePort > 1024
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RemoteIP, RemotePort, ActionType, InitiatingProcessFolderPath
// Look for processes not in standard paths
| where InitiatingProcessFolderPath !startswith "/usr/bin"
and InitiatingProcessFolderPath !startswith "/usr/sbin"
and InitiatingProcessFolderPath !startswith "/bin"
| order by Timestamp desc
Velociraptor VQL
This artifact hunts for processes exhibiting Showboat-like behavior: specifically, listening sockets on non-standard ports and processes running from temporary directories.
-- Hunt for Showboat Indicators on Linux Endpoints
-- 1. Check for suspicious listening sockets (SOCKS5 Proxy behavior)
SELECT
Fqdn,
Pid,
ProcessName,
Family,
State,
LocalAddress,
LocalPort,
RemoteAddress,
RemotePort
FROM listen_sockets()
WHERE LocalPort > 1024
AND ProcessName NOT IN ('sshd', 'nginx', 'apache2', 'httpd', 'dockerd', 'containerd')
-- 2. Check for processes executing from /tmp or /dev/shm
SELECT
Pid,
Ppid,
Name,
Exe,
Ctime,
Username,
CommandLine
FROM pslist()
WHERE Exe =~ '^/tmp/'
OR Exe =~ '^/var/tmp/'
OR Exe =~ '^/dev/shm/'
Remediation Script (Bash)
Use this script to perform an initial triage on a suspected Linux host. It checks for suspicious listening sockets and processes in temporary directories.
#!/bin/bash
# Showboat Linux Malware Triage Script
# Usage: sudo ./triage_showboat.sh
echo "[*] Starting Showboat Triage - $(date)"
echo "[+] Checking for processes listening on high ports (Potential SOCKS5 Proxy)..."
# Sockets listening on ports > 1024, excluding common safe paths, requires ss or netstat
if command -v ss &> /dev/null; then
ss -tulnp | awk 'NR>1 && $4 ~ /:.*:[1-9][0-9]{3,}/ && $0 !~ /"(nginx|httpd|apache2|docker|sshd)"/'
else
netstat -tulnp | awk 'NR>2 && $4 ~ /:.*:[1-9][0-9]{3,}/ && $0 !~ /(nginx|httpd|apache2|docker|sshd)/'
fi
echo "[+] Checking for executing binaries in /tmp, /var/tmp, /dev/shm..."
# Find running processes mapped to executables in temp directories
for pid in $(ls -1 /proc 2>/dev/null | grep -E '^[0-9]+$'); do
if [ -L "/proc/$pid/exe" ]; then
exe_path=$(readlink -f /proc/$pid/exe)
if [[ "$exe_path" == /tmp/* ]] || [[ "$exe_path" == /var/tmp/* ]] || [[ "$exe_path" == /dev/shm/* ]]; then
echo "[!] Suspicious Process Found: PID: $pid, Path: $exe_path"
ps -p $pid -o pid,uid,cmd
fi
fi
done
echo "[+] Checking for established connections to non-standard remote ports..."
if command -v ss &> /dev/null; then
ss -tunap | awk 'NR>1 && $5 ~ /:.*:[1-9][0-9]{3,}/ {print}'
fi
echo "[*] Triage Complete."
Remediation
If Showboat or its indicators are detected, immediate action is required to contain the breach and prevent lateral movement via the identified proxy capabilities.
-
Isolation: Immediately disconnect the infected host from the network. Do not rely solely on software firewalls on the host, as the malware may attempt to bypass them. Physically disconnect or isolate via VLAN ACLs.
-
Process Termination & Removal:
- Kill the malicious process IDs identified during triage.
- Remove the malicious binary and any dropped modules (often found in
/tmp,/var/tmp, or hidden directories within/var. - Search for and remove cron jobs or systemd services created for persistence. Check
/etc/cron*,/etc/systemd/system/, and~/.config/systemd/user/.
-
Credential Reset: Assume credentials have been compromised. Reset all credentials (root, user accounts, and database credentials) accessible from the infected host. Rotate SSH keys.
-
Egress Filtering: Implement strict egress firewall rules to block outbound traffic on non-standard ports, specifically targeting common proxy ports (1080, 1081, etc.) and restricting outbound traffic to known necessary destinations.
-
Re-imaging: Due to the modular nature of Showboat and potential for rootkits or hidden kernel modules, the only way to guarantee complete removal is to wipe the drive and re-image the server from a known clean, gold-standard backup. Restoring from a backup taken after the infection (mid-2022 onwards in this context) risks reintroducing the malware.
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.