HOMETHREATSShowboat
APT / THREAT GROUP

Showboat

2
aliases
Last seen:Jun 27, 2026

Intelligence Profile

According to Picus Security, Showboat is a modular post-exploitation framework implemented as a 64-bit ELF binary targeting AMD x86-64 Linux systems, used for long-term, covert access rather than initial compromise or encryption. It retrieves an XOR-encrypted configuration from its command-and-control server, uses randomized sleep intervals, and wraps host telemetry (including system information, running processes, and screenshots) in an encrypted, base64-encoded JSON blob disguised inside PNG metadata for beaconing. The framework provides standard remote access capabilities such as file transfer, directory and filesystem manipulation, and configurable persistence. For stealth, it can download and compile an additional C-based component on the victim and leverage dynamic linker preload mechanisms to hook system-level functions and hide selected processes from userland monitoring tools.

Threat Analysis

Showboat is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

Intelligence Reports Mentioning Showboat

External References

Quick Facts

TypeAPT / Threat Group
Aliases2

Also Known As

elf.showboatShowboat

External Intelligence

Malpedia: elf.showboat

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.