A sophisticated fileless Linux malware framework, ShadowHS, that represents a significant evolution in post-exploitation tooling.
Unlike traditional malware binaries, ShadowHS operates entirely in memory and demonstrates advanced operator-driven capabilities designed specifically for long-term persistence in defended enterprise environments.
ShadowHS is not a standalone malware binary but rather a heavily modified variant of the hackshell utility that has been weaponized into a full-featured intrusion framework.
The malware incorporates fileless execution as its core design principle, executing from anonymous file descriptors while spoofing process names to evade detection.
At no point during the infection chain does the payload write to disk, effectively bypassing traditional file-integrity monitoring and antivirus inspection mechanisms.
The infection begins with a multi-stage encrypted shell loader that employs AES-256-CBC encryption to protect its embedded payload.
Cyble Research & Intelligence Labs (CRIL) has identified a Linux intrusion chain leveraging a highly obfuscated, fileless loader that deploys a weaponized variant of hackshell entirely from memory.
Upon execution, the loader validates runtime dependencies, including OpenSSL, Perl, and gzip, then dynamically determines its invocation context to guarantee correct payload execution.
The payload is reconstructed through a complex decoding pipeline and executed directly from memory via /proc/
Operator-Driven Design
What distinguishes ShadowHS from commodity malware is its deliberately restrained runtime behavior.
Rather than immediately deploying cryptominers or initiating data exfiltration, the framework prioritizes environmental reconnaissance, security control discovery, and operational safety.
This clear separation between initial restraint and extensive dormant functionality strongly suggests deliberate operator tradecraft rather than automated malware logic.
The payload performs aggressive fingerprinting of enterprise security solutions, including CrowdStrike Falcon Sensor, Sophos Intercept X, Cortex XDR, Microsoft Defender, Elastic Agent, Wazuh, Tanium, and multiple cloud vendor agents.
Both filesystem path checks and service-state enumeration are employed to detect these platforms, with results surfaced directly to operators for informed decision-making.
ShadowHS implements robust anti-competition logic designed to identify and terminate rival malware families including Rondo, Kinsing, and the notorious Ebury OpenSSH credential-stealing backdoor.
The framework actively hunts for competing cryptominers, detects kernel rootkits via loaded kernel module checks, and enumerates deleted or memfd-backed executables that may indicate prior compromise.
Additionally, the malware performs deep security posture introspection by examining kernel protections such as AppArmor, inspecting loaded modules, and surveying /proc for indicators of instrumentation.
One of ShadowHS’s most sophisticated capabilities involves operator-initiated data exfiltration that completely bypasses traditional network transports.
Instead of relying on SSH, SCP, or SFTP, the framework implements dedicated staging helpers that leverage GSocket user-space tunnels to establish covert channels.
File transfers are routed through a hardcoded GSocket rendezvous endpoint at 62.171.153[.]47, authenticated using operator-supplied tokens.
This technique replaces rsync’s standard transport layer with DBus-based or netcat-style GSocket tunnels, allowing data movement that evades firewall controls and endpoint monitoring.
The apparent loopback destination is deliberately misleading, as connections are intercepted by GSocket before reaching the local networking stack, enabling remote exfiltration without opening visible network sessions.
Mitigations
When operators choose to activate dormant capabilities, ShadowHS deploys multiple cryptocurrency mining workflows including XMRig, XMR-Stak with CUDA backends, GMiner using the Kawpow algorithm, and lolMiner targeting ETCHASH.
Mining operations connect to infrastructure at 204.93.253[.]180 with pool failover logic and dynamically sourced worker identifiers.
For lateral movement, the framework downloads Rustscan for SSH service discovery and spirit for automated brute-force attacks against identified endpoints.
The malware also contains dormant modules for credential theft targeting AWS credentials, SSH keys, GitLab, WordPress and Bitrix databases, Docker, Proxmox VMs, OpenVZ containers, and cloud platform metadata services.
Traditional signature-based and file-scanning security controls offer minimal protection against ShadowHS due to its fileless nature and memory-only execution model.
Effective detection requires visibility into in-memory execution patterns, process behavior analysis, and kernel-level telemetry.
Organizations should implement runtime application self-protection, memory scanning capabilities, and behavioral analytics to identify suspicious process genealogy and argument spoofing.
The discovery of ShadowHS underscores the evolution of Linux-targeted threats from opportunistic botnets toward sophisticated, operator-controlled frameworks designed for strategic compromise of enterprise infrastructure.
Its combination of advanced evasion techniques, comprehensive security awareness, and selective capability activation represents a mature post-exploitation platform optimized for long-term persistence rather than immediate impact.
Indicators of Compromise (IOCs)
| Indicator | Indicator Type | Description |
|---|---|---|
| 91.92.242[.]200 | IPv4 | Primary payload staging infrastructure |
| 62.171.153[.]47 | IPv4 | Operator-controlled relay for exfiltration and post-compromise operations |
| 20c1819c2fb886375d9504b0e7e5debb87ec9d1a53073b1f3f36dd6a6ac3f427 | SHA-256 | Main obfuscated shell loader script |
| 9f2cfc65b480695aa2fd847db901e6b1135b5ed982d9942c61b629243d6830dd | SHA-256 | Custom weaponized hackshell payload |
| 148f199591b9a696197ec72f8edb0cf4f90c5dcad0805cfab4a660f65bf27ef3 | SHA-256 | RustScan port scanner |
| 574a17028b28fdf860e23754d16ede622e4e27bac11d33dbf5c39db501dfccdc | SHA-256 | spirit-x86_64.tgz archive |
| 3f014aa3e339d33760934f180915045daf922ca8ae07531c8e716608e683d92d | SHA-256 | spirit/-bash (UPX-packed binary) |
| 847846a0f0c76cf5699342a066378774f1101d2fb74850e3731dc9b74e12a69d | SHA-256 | spirit/-bash (unpacked Golang binary) |
| 5a6b08d42cc8296b32034b132bab18d201a48c1628df3200e869722506dd4ec6 | SHA-256 | gpu1/screen miner wrapper |
| e11bcba19ac628ae1d0b56e43646ae1b5da2ccc1da5162e6719d4b7d68d37096 | SHA-256 | gpu1/lol miner component |
| 0bb7d4d8a9c8f6b3622d07ae9892aa34dc2d0171209e2829d7d39d5024fd79ef | SHA-256 | xmr/xmrigremove.sh |
| 9fdaf64180b7d02b399d2a92f1cdd062af2e6584852ea597c50194b62cca3c0b | SHA-256 | gpustak/-bash binary |
| b3ee445675fce1fccf365a7b681b316124b1a5f0a7e87042136e91776b187f39 | SHA-256 | gpustak/libxmrstak_cuda_backend.so CUDA backend |
| 5a6b08d42cc8296b32034b132bab18d201a48c1628df3200e869722506dd4ec6 | SHA-256 | gpustak/screen miner wrapper |
| 5a6b08d42cc8296b32034b132bab18d201a48c1628df3200e869722506dd4ec6 | SHA-256 | gpuecho/screen miner wrapper |
| 3ba88f92a87c0bb01b13754190c36d8af7cd047f738ebb3d6f975960fe7614d6 | SHA-256 | gpuecho/lol miner component |
| 5a6b08d42cc8296b32034b132bab18d201a48c1628df3200e869722506dd4ec6 | SHA-256 | gpu/screen miner wrapper |
| e11bcba19ac628ae1d0b56e43646ae1b5da2ccc1da5162e6719d4b7d68d37096 | SHA-256 | gpu/lol miner component |
| 4069eaadc94efb5be43b768c47d526e4c080b7d35b4c9e7eeb63b8dcf0038d7d | SHA-256 | ex/dirtycredz.x86_64 credential exploitation tool |
| 72023e9829b0de93cf9f057858cac1bcd4a0499b018fb81406e08cd3053ae55b | SHA-256 | ex/payload.so shared object payload |
| 662d4e58e95b7b27eb961f3d81d299af961892c74bc7a1f2bb7a8f2442030d0e | SHA-256 | ex/overlay helper component |
| e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 | SHA-256 | ex/GCONV_PATH=./lol empty placeholder file |
| c679b408275f9624602702f5601954f3b51efbb1acc505950ee88175854e783f | SHA-256 | ex/payload.c payload source code |
| 666122c39b2fd4499678105420e21b938f0f62defdbc85275e14156ae69539d6 | SHA-256 | ex/blast exploitation utility |
| 8007b94d367b7dbacaac4c1da0305b489f0f3f7a38770dcdb68d5824fe33d041 | SHA-256 | ex/dp Dirty Pipe exploit |
| 072e08b38a18a00d75b139a5bbb18ac4aa891f4fd013b55bfd3d6747e1ba0a27 | SHA-256 | ex/ubu privilege escalation helper |
| 6c50fcf14af7f984a152016498bf4096dd1f71e9d35000301b8319bd50f7f6d0 | SHA-256 | ex/cve-2025-21756 exploit binary |
| 04a072481ebda2aa8f9e0dac371847f210199a503bf31950d796901d5dbe9d58 | SHA-256 | ex/traitor-x86_64 privilege escalation tool |
| 19df5436972b330910f7cb9856ef5fb17320f50b6ced68a76faecddcafa7dcd7 | SHA-256 | ex/autoroot.sh automated root escalation script |
| 7fbab71fcc454401f6c3db91ed0afb0027266d5681c23900894f1002ceca389a | SHA-256 | ex/dirtypipe.x86_64 Dirty Pipe exploit variant |
| e5a6deec56095d0ae702655ea2899c752f4a0735f9077605d933a04d45cd7e24 | SHA-256 | ex/dirtypagetable.x86_64 kernel exploitation tool |
| 7361c6861fdb08cab819b13bf2327bc82eebdd70651c7de1aed18515c1700d97 | SHA-256 | ex/lol/gconv-modules GCONV-based exploitation component |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.