ShadowHS - A Fileless Linux Post‑Exploitation Framework Built on a Weaponized hackshell

Cyble Research & Intelligence Labs (CRIL) has identified a Linux intrusion chain leveraging a highly obfuscated, fileless loader that deploys a weaponized variant of hackshell entirely from memory. Cyble tracks this activity under the name ShadowHS, reflecting its fileless execution model and lineage from the original hackshell utility. Unlike conventional Linux malware that emphasizes automated propagation or immediate monetization, this activity prioritizes stealth, operator safety, and long‑term interactive control over compromised systems. The loader decrypts and executes its payload exclusively in memory, leaving no persistent binary artifacts on disk.

Once active, the payload exposes an interactive post‑exploitation environment that aggressively fingerprints host security controls, enumerates defensive tooling, and evaluates prior compromise before enabling higher‑risk actions. Payload analysis reveals a broad set of latent capabilities, including fingerprinting, credential access, lateral movement, privilege escalation, cryptomining, memory inspection, and covert data exfiltration. The framework also includes operator‑driven data exfiltration mechanisms that avoid traditional network transports altogether, instead abusing user‑space tunneling to stage or extract data in a manner designed to evade firewall controls and endpoint monitoring. Overall, the activity reflects a mature, multi-purpose Linux post-compromise platform optimized for fileless execution, interactive control, and situationally adaptive expansion.

The analyzed intrusion chain consists of two primary components: a multi-stage, encrypted shell loader responsible for payload decryption, reconstruction, and fileless execution, and an in-memory payload that resolves to a heavily modified version of hackshell, weaponised into a full-featured operator framework. The infection flow begins with execution of the obfuscated shell loader, which decrypts an embedded payload using AES‑256‑CBC, reconstructs it in memory, and executes it directly via /proc//fd/. At no stage is the payload written to disk. The malware demonstrates tradecraft consistent with mature red-team tooling or advanced post-compromise frameworks, rather than commodity botnet loaders. Key characteristics include a password-protected AES-256-CBC encrypted payload, dynamic execution path detection, fileless execution with argv spoofing, environment hardening to evade logging, live system security introspection, and an operator-facing interactive CLI.

Once decrypted and executed directly from memory, the payload resolves to a heavily modified variant of hackshell, repurposed from a lightweight post-exploitation helper into a fully operator-driven intrusion framework. At runtime, it presents an interactive shell and explicitly signals that it avoids filesystem writes, immediately establishing intent for long-lived, low-noise operator interaction rather than smash-and-grab activity. The payload performs aggressive EDR and AV discovery using both filesystem path checks and service-state enumeration. Compared to upstream hackshell, this variant significantly expands coverage to include commercial EDR platforms, cloud agents, OT/ICS tooling, and telemetry collectors. Notable file-path-based detections include CrowdStrike, LimaCharlie, Tanium, OTEL collectors, and cloud vendor agents (Qcloud, Argus agent). Service-based detections include Falcon Sensor, Cybereason, Elastic Agent, Sophos Intercept X & SPL, Cortex XDR, WithSecure, Wazuh, Rapid7, and Microsoft Defender (mdatp). These checks are surfaced directly to the operator, reinforcing that this is an interactive intrusion tool.

To read the complete article see: Cyble