CYBLE Research & Intelligence Labs (CRIL) has uncovered ShadowHS, a sophisticated Linux intrusion chain that weaponises a weaponised version of hackshell through a highly obfuscated, fileless loader. Unlike typical Linux malware, ShadowHS operates in memory with a multi-stage shell loader that decrypts and executes its payload entirely within the system, using anonymous file descriptors and spoofing process names to evade forensic views.
The framework includes operator-driven data exfiltration mechanisms that avoid traditional network transports, instead abusing user-space tunneling via GSocket to stage or extract data and evade firewall controls. The payload is a modified variant of hackshell, evolved into a full-featured intrusion framework capable of post-exploitation, credential theft, lateral movement via SSH brute-forcing, and privilege escalation.
ShadowHS additionally fingerprints the host for security controls, including EDR agents, and implements anti-competition logic to kill rival malware such as XMRig miners or the Kinsing botnet. According to Cyble Research & Intelligence Labs, the distinct separation between restrained runtime behaviour and extensive dormant functionality points to a skilled operator rather than script kiddies.