SHOE RACK Malware: NCSC Uncovers Stealthy Reverse SSH & DoH Post-Exploitation Tool Targeting FortiGate Firewalls

A new malware tool dubbed SHOE RACK has come under the microscope of the UK’s National Cyber Security Centre (NCSC). This post-exploitation malware leverages stealthy reverse SSH tunneling, custom protocol abuse, and DNS-over-HTTPS (DoH) to maintain remote access and evade detection—raising red flags across enterprise defense teams.

Originally discovered on FortiGate 100D series firewalls, SHOE RACK is believed to be a modified version of the open-source NHAS reverse SSH tool, but with significant post-exploitation enhancements.

“SHOE RACK appears to have been produced by making modifications to existing open-source tooling… the actor appearing to make modifications as needed,” the analysis explains.

SHOE RACK is a Go-based malware packed with UPX, retrieved as a binary named ldnet. It serves two main purposes:

• Remote shell access via SSH tunneling
• TCP traffic proxying over an existing session

“On execution, the malware connects back to a custom SSH server at a hardcoded command and control (C2) URL… enabling the actor to use standard SSH functionality to interact with the victim,” the analysis disclosures.

Rather than hardcoding IP addresses or performing standard DNS lookups, SHOE RACK stealthily retrieves its command and control server (phcia.duckdns[.]org) by querying MX records over DNS-over-HTTPS.

It randomly chooses from five trusted DoH resolvers, including:

• dns.google.com (8.8.8.8)
• cloudflare-dns.com (1.1.1.1)
• dns.nextdns.io
• quad9.net
• doh.opendns.com

This design makes SHOE RACK’s infrastructure resilient to blocking and takedown, using encryption to obscure its DNS traffic.

“SHOE RACK uses DNS-over-HTTPS (DoH) to locate the IP address of its C2 server.”

One of SHOE RACK’s most unique traits is its misuse of the SSH protocol:

• It spoofs an outdated SSH version, advertising SSH-1.1.3
• It initiates SSH sessions where the server opens the channel, not the client—an inversion of normal behavior
• It supports both standard and non-standard SSH channels, including:
  • session Channel – Used for shell access and commands. Includes commands like:
    • exec
    • shell
    • subsystem sftp
    • setuid, setgid
  • jump Channel – An attacker-controlled reverse SSH tunnel re-using the original malware connection to enable incoming SSH sessions from the C2 to the victim. “This effectively makes the malware the SSH server… enabling the actor to tunnel traffic out of the malware’s endpoint.”
  • direct-tcpip Channel – Used for creating full TCP tunnels from the C2 through the infected host to other machines—ideal for pivoting inside LANs or evading network segmentation.

SHOE RACK has been specifically observed targeting FortiGate 100D firewalls, which are often deployed as perimeter defenses in enterprise networks. “It seems likely that the actor was attempting to pivot into the LAN network having compromised the perimeter device,” the report concludes. This strategic targeting indicates a post-compromise objective: move laterally, exfiltrate data, or stage further attacks inside otherwise secure networks.

Related Posts:

• Akamai Unveils New VPN Post-Exploitation Techniques: Major Vulnerabilities Discovered in Ivanti and FortiGate VPNs
• NCSC Uncovers “UMBRELLA STAND” Malware: Stealthy Backdoor Targets Fortinet FortiGate Firewalls
• Fortinet FortiGate Firewalls Targeted in Sophisticated Campaign Exploiting Management Interfaces