Ddos 
File Path-based EDR Detection | Image: CRIL
Cyble Research & Intelligence Labs (CRIL) has uncovered a sophisticated Linux intrusion chain dubbed ShadowHS, a campaign that leverages a highly obfuscated, fileless loader to deploy a weaponized version of the open-source tool “hackshell.”
Unlike typical Linux malware that immediately starts burning CPU cycles for crypto-mining or flooding networks with DDoS traffic, ShadowHS is designed for the long game. It transforms compromised servers into interactive, operator-controlled assets while leaving almost no trace on the disk.
The core innovation of ShadowHS is its commitment to “fileless” execution. The malware utilizes a multi-stage shell loader that decrypts and executes its payload entirely within the system’s memory. By using anonymous file descriptors and spoofing process names (often disguising itself as python3), it effectively vanishes from standard forensic views.
“The loader decrypts and executes its payload exclusively in memory, leaving no persistent binary artifacts on disk. Once active, the payload exposes an interactive post-exploitation environment that aggressively fingerprints host security controls…” — Cyble Research & Intelligence Labs
This approach allows the threat actors to bypass file-integrity monitoring and traditional antivirus scans that rely on inspecting files written to the hard drive.
The payload itself is a heavily modified variant of hackshell, a lightweight post-exploitation tool. However, the operators behind ShadowHS have evolved it into a full-featured intrusion framework.
“The payload is not a standalone malware binary but a weaponized post-exploitation framework, derived from hackshell and adapted for long-term, interactive operator use.” — Cyble Research & Intelligence Labs
Once active, the malware doesn’t just run wild; it listens. It fingerprints the host, checking for EDR agents (like CrowdStrike or SentinelOne) and other security controls. It even includes “anti-competition” logic to detect and kill rival malware families, such as XMRig miners or the Kinsing botnet, ensuring it has exclusive access to the victim’s resources.
Perhaps the most technically distinct feature of ShadowHS is how it steals data. Instead of opening a standard connection that might trigger a firewall alert, the malware uses GSocket—a tool designed to enable encrypted connections through firewalls via user-space tunneling.
“Notably, the framework includes operator-driven data exfiltration mechanisms that avoid traditional network transports altogether, instead abusing user-space tunneling to stage or extract data in a manner designed to evade firewall controls and endpoint monitoring.” — Cyble Research & Intelligence Labs
This allows the operators to exfiltrate sensitive files or stage tools without establishing a direct, easily blockable TCP connection to a command-and-control server.
The analysis suggests that ShadowHS is not the work of “script kiddies” or automated bot herders. The clear distinction between its quiet runtime behavior and its massive dormant capabilities—including modules for credential theft, lateral movement via SSH brute-forcing, and privilege escalation—points to a skilled human operator.
“This clear separation between restrained runtime behaviour and extensive dormant functionality strongly suggests deliberate operator tradecraft rather than commodity malware logic.” — Cyble Research & Intelligence Labs
Related Posts:
- DragonForce Ransomware: A Legacy Crafted from Leaked LOCKBIT Black Code
- Phishing Campaign Targets Crypto & Healthcare with ScreenConnect
- Sandworm APT Attacks Belarus Military With LNK Exploit and OpenSSH Over Tor obfs4 Backdoor
- “Purchase Order” Deception: Sophisticated Loader Targets Manufacturing Giants in Italy, Finland, and Saudi Arabia
Donate