Cyble Research & Intelligence Labs (CRIL) has uncovered a post-exploitation Linux framework called ShadowHS, designed for stealthy, in-memory operations. Unlike traditional malware, ShadowHS leverages a fileless architecture and a weaponized version of hackshell, enabling attackers to maintain long-term, operator-controlled access to compromised Linux systems.
The ShadowHS Linux framework operates entirely in memory, leaving no persistent binaries on disk. CRIL’s analysis revealed that the framework uses an encrypted shell loader to deploy a heavily modified version of hackshell, enabling an interactive post-exploitation environment.
The loader decrypts and reconstructs the payload in memory using AES‑256‑CBC encryption, Perl byte skipping, and gzip decompression. The payload is executed via /proc/<pid>/fd/<fd> with a spoofed argv[0], ensuring that no filesystem artifacts remain.
Once active, ShadowHS prioritizes reconnaissance, fingerprinting host security measures, evaluating prior compromises, and providing an operator-controlled interface. Its runtime behavior is deliberately restrained, allowing attackers to selectively invoke capabilities such as credential access, lateral movement, privilege escalation, cryptomining, and covert data exfiltration.
According to CRIL, ShadowHS reflects mature operator tradecraft rather than the patterns of opportunistic Linux malware. Its in-memory design allows operators to assess system security posture while avoiding traditional detection mechanisms.
The payload performs aggressive EDR and AV fingerprinting, checking for commercial endpoint tools such as CrowdStrike, Tanium, Sophos, and Microsoft Defender, as well as cloud and OT/ICS telemetry agents.
“ShadowHS demonstrates a clear separation between restrained runtime activity and extensive dormant capabilities,” CRIL notes. “This is indicative of a deliberate operator-driven post-exploitation platform rather than automated malware.”
One of ShadowHS’s most notable features is its ability to exfiltrate data without using standard network channels. The Linux framework implements user-space tunneling over GSocket, replacing rsync’s default transport.
This allows files to be transferred stealthily across firewalls and restrictive network environments. CRIL observed two variants: one using DBus-based tunneling and another employing netcat-style GSocket tunnels, both preserving timestamps, permissions, and partial transfer state.
ShadowHS also contains dormant modules that operators can activate on demand. These include:
The framework incorporates anti-competition logic to detect and terminate rival malware, including miners like Rondo and Kinsing, as well as credential-stealing backdoors such as Ebury. It also evaluates kernel integrity and loaded modules, helping the operator determine if the host is already compromised or actively monitored.
The discovery of ShadowHS stresses the challenges organizations face in defending Linux environments against fileless, in-memory threats. CRIL notes that traditional signature-based antivirus solutions and file-based detection mechanisms are insufficient to detect frameworks like ShadowHS. Effective defense requires monitoring process behavior, kernel-level telemetry, and memory-resident activity.
“ShadowHS represents a fully operator-controlled, adaptive Linux framework designed for stealth and long-term access,” CRIL stated. “Its use of a weaponized hackshell, fileless execution, and exfiltration methods highlights the growing need for proactive threat intelligence and advanced monitoring strategies.”
See ShadowHS and new cyber threats in action, schedule your Cyble demo today, and gain real-time visibility into cyber risks before they impact your organization.
This week’s The Cyber Express roundup covers ransomware, AI risks, geopolitical threats, and key developments in global cybersecurity news.
DeepSeek changed the calculation. When the House Select Committee on China concluded in early 2025 that the Chinese AI company…
The Apple age verification measures align with broader enforcement efforts under the UK’s online safety framework.
EU and ENISA act to protect the bedrock cyber vulnerability CVE Program after funding concerns raise risks of fragmentation and…
Energy sector ransomware surged in 2025 as ransomware groups exploited vulnerabilities and used FrostyGoop malware to disrupt infrastructure.
Reporting mechanisms for illegal content are also part of the Digital Services Act child protection investigation.
This website uses cookies. By continuing to use this website you are giving consent to cookies being used.
Read More