Threat Research

ShadowHS: A Fileless Linux Post‑Exploitation Framework Built on a Weaponized hackshell

Cyble
ShadowHS: A Fileless Linux Post‑Exploitation Framework Built on a Weaponized hackshell

Cyble uncovered ShadowHS, a fileless Linux post‑exploitation framework that uses an encrypted, obfuscated POSIX shell loader to reconstruct and execute a weaponized variant of hackshell entirely in memory. The framework emphasizes stealth and operator-driven control—fingerprinting EDR/AV, enabling covert GSocket-backed rsync exfiltration, credential theft, lateral movement, and on‑demand cryptomining—while leaving no persistent disk artifacts. #ShadowHS #hackshell

Keypoints

  • ShadowHS is a multi-stage, password‑protected AES-256-CBC encrypted shell loader that reconstructs and executes a weaponized hackshell payload entirely from memory via /proc//fd/ without writing to disk.
  • The payload is interactive and operator-driven, prioritizing reconnaissance, EDR/AV fingerprinting, and OPSEC checks before enabling higher‑risk modules such as credential theft, privilege escalation, lateral movement, or cryptomining.
  • Extensive runtime defenses include argv[0] spoofing, shell history disabling, PATH/TMPDIR/HOME relocation, and active termination of competing miners or implants to minimize detection and forensic traces.
  • Covert data staging and exfiltration are implemented via GSocket‑backed rsync transports (gs-dbus and gs-netcat) routed through a hardcoded rendezvous, avoiding standard SSH/SCP/SFTP channels and firewall detection.
  • Dormant, on‑demand modules provide memory dumping for credential extraction, SSH scanning and brute force (rustscan + spirit), kernel exploit deployment, and multiple GPU/CPU mining workflows (XMRig, XMR‑Stak, GMiner, lolMiner).
  • The loader enforces dependency validation (openssl, perl, gunzip) and uses execution context awareness (source/eval/exec, Bash/Zsh compatibility) and byte-offset reconstruction (R=4817) to prevent static recovery of the payload.
  • Detection and response require visibility into in‑memory execution, argv spoofing anomalies, kernel telemetry, and monitoring of non‑standard user‑space tunneling or rsync transports used for data movement.

MITRE Techniques

  • [T1059.004 ] Command and Scripting Interpreter – The loader and payload are implemented in POSIX shell and Perl and run via standard shells (‘The loader and payload are implemented entirely in POSIX shell and Perl, enabling execution through standard shell interpreters without introducing foreign binaries.’)
  • [T1620 ] Reflective Code Loading – Payload is decrypted, reconstructed and executed directly from memory via anonymous file descriptors under /proc//fd/ (‘The payload is decrypted, decompressed, and executed directly from memory via anonymous file descriptors under /proc//fd/, never touching disk.’)
  • [T1036.005 ] Masquerading: Match Legitimate Name or Location – The payload spoofs argv[0] to appear as the loader script and hide true process attribution (‘The payload spoofs argv[0] to match the loader script name, causing process listings and /proc//cmdline to resolve to a benign-looking script.’)
  • [T1070 ] Indicator Removal on Host – The payload removes artifacts and hardens the environment by disabling history, cleaning command artifacts and relocating HOME/TMPDIR (‘The payload aggressively disables shell history, cleans command artifacts, relocates HOME/TMPDIR, and avoids filesystem writes to minimize forensic traces.’)
  • [T1562.001 ] Impair Defenses: Disable or Modify Tools – Framework detects EDR/AV and exposes operator functions to terminate competing malware or defensive agents (‘The framework detects EDR/AV tooling and exposes operator functions that can terminate competing malware, miners, or defensive agents.’)
  • [T1082 ] System Information Discovery – The payload fingerprints OS, kernel, active users, PTYs and privilege boundaries to inform operator decisions (‘The payload collects OS, kernel, user sessions, PTYs, and privilege context to inform operator decision-making during interactive access.’)
  • [T1083 ] File and Directory Discovery – Extensive /proc and filesystem inspection enumerates deleted/executables and memfd-backed artifacts (‘Extensive inspection of /proc and system paths is performed to enumerate executables, deleted binaries, and memory-backed artifacts.’)
  • [T1518.001 ] Software Discovery: Security Software – Path- and service-based checks enumerate commercial EDRs, cloud agents and telemetry collectors (‘The payload performs both path-based and service-based discovery for dozens of EDR, AV, cloud agents, OT tools, and log shippers.’)
  • [T1016.001 ] Network Service Discovery – Dormant scanning modules (e.g., rustscan) enumerate reachable SSH endpoints for lateral movement (‘Dormant scanning modules support SSH discovery and enumeration of reachable services for potential lateral movement.’)
  • [T1555 ] Credentials from Password Stores – In-memory dumping routines enable extraction of credentials/secrets from live processes when invoked (‘Memory-dump routines present in the payload enable the extraction of credentials and secrets from live processes when invoked by the operator.’)
  • [T1021.004 ] Remote Services: SSH – SSH brute-force and pivoting tooling supports legacy crypto to access older hosts (‘SSH-based access and pivoting are supported, including forced use of legacy cryptographic algorithms to access older infrastructure.’)
  • [T1005 ] Data from Local System – Interactive commands collect targeted host data, process info and sensitive artifacts for operator-led collection (‘Interactive operator commands allow targeted collection of host data, process information, and sensitive artifacts without bulk exfiltration.’)
  • [T1048.003 ] Exfiltration Over Alternative Protocol – Data staging/exfiltration uses rsync over GSocket user‑space tunnels to avoid traditional C2 channels (‘Data can be staged or exfiltrated using legitimate synchronization utilities over user‑space tunnels, avoiding traditional C2 channels.’)
  • [T1496 ] Resource Hijacking – Dormant CPU/GPU mining modules (XMRig, GMiner, XMR‑Stak, lolMiner) can be activated on demand for cryptomining (‘Dormant CPU/GPU mining modules can be activated on demand, supporting multiple miners and pool configurations.’)

Indicators of Compromise

  • [IPv4 ] Primary infrastructure and relay endpoints – 91.92.242[.]200 (primary payload staging), 62.171.153[.]47 (operator-controlled exfiltration rendezvous)
  • [SHA-256 ] Loader, payload, tools and exploit artifacts – 20c1819c2fb886375d9504b0e7e5debb87ec9d1a53073b1f3f36dd6a6ac3f427 (main obfuscated shell loader), 9f2cfc65b480695aa2fd847db901e6b1135b5ed982d9942c61b629243d6830dd (weaponized hackshell payload), and 28 more hashes
  • [Domain ] Mining pools and infrastructure used by miners – kawpow.na.mine.zergpool[.]com, kawpow.asia.mine.zergpool[.]com
  • [File Name ] Notable referenced binaries and exploit files – ex/dirtypipe.x86_64 (Dirty Pipe exploit variant), ex/payload.c (exploit source code)
  • [Crypto Wallet ] Hardcoded miner wallet identifiers used for payouts – GMiner wallet 88H9UmU6QyYiGeZdR6hXZJXtJF9Z8zLHDQbC1NV1PDdjCynBq3QKzB1fo1NRhgMX4cBx68Rva5msyKW3PGXfPhCA4itHmiv, XMR‑Stak payout RYoNsBiFU6iYi8rqkmyE9c4SftzYzWPCGA3XvcXbGuBYcqDQJWe8wp8NEwNicFyzZgKTSjCjnpuXTitwn6VdBcFZEFXLcY4DwEsWGnj1SC1Sgq

Read more: https://cyble.com/blog/shadowhs-fileless-linux-post-exploitation-framework/