ShadowHS: A Fileless Linux Post‑Exploitation Framework Built on a Weaponized Hackshell

    Tuesday, February 3, 2026 In: Threat Research Print

    Date: 02/03/2026

    Severity: Medium

    Summary

    ShadowHS is a stealth-focused, fileless Linux intrusion framework derived from the original hackshell utility and designed for long-term, interactive operator control. It executes entirely in memory using a highly obfuscated loader, leaving no disk artifacts while prioritizing host fingerprinting, defensive evasion, and operator safety before enabling higher-risk actions. Although its runtime behavior is deliberately restrained, ShadowHS contains extensive dormant capabilities—including credential access, lateral movement, privilege escalation, cryptomining, and covert data exfiltration via user-space tunneling—indicating mature tradecraft aligned with advanced intrusion tooling rather than commodity Linux malware.

    Indicators of Compromise (IOC) List

    IP Address

    91.92.242.200

    62.171.153.47

    Hash

    20c1819c2fb886375d9504b0e7e5debb87ec9d1a53073b1f3f36dd6a6ac3f427

    9f2cfc65b480695aa2fd847db901e6b1135b5ed982d9942c61b629243d6830dd

    148f199591b9a696197ec72f8edb0cf4f90c5dcad0805cfab4a660f65bf27ef3

    574a17028b28fdf860e23754d16ede622e4e27bac11d33dbf5c39db501dfccdc

    3f014aa3e339d33760934f180915045daf922ca8ae07531c8e716608e683d92d

    847846a0f0c76cf5699342a066378774f1101d2fb74850e3731dc9b74e12a69d

    5a6b08d42cc8296b32034b132bab18d201a48c1628df3200e869722506dd4ec6

    e11bcba19ac628ae1d0b56e43646ae1b5da2ccc1da5162e6719d4b7d68d37096

    0bb7d4d8a9c8f6b3622d07ae9892aa34dc2d0171209e2829d7d39d5024fd79ef

    9fdaf64180b7d02b399d2a92f1cdd062af2e6584852ea597c50194b62cca3c0b

    b3ee445675fce1fccf365a7b681b316124b1a5f0a7e87042136e91776b187f39

    5a6b08d42cc8296b32034b132bab18d201a48c1628df3200e869722506dd4ec6

    5a6b08d42cc8296b32034b132bab18d201a48c1628df3200e869722506dd4ec6

    3ba88f92a87c0bb01b13754190c36d8af7cd047f738ebb3d6f975960fe7614d6

    5a6b08d42cc8296b32034b132bab18d201a48c1628df3200e869722506dd4ec6

    e11bcba19ac628ae1d0b56e43646ae1b5da2ccc1da5162e6719d4b7d68d37096

    4069eaadc94efb5be43b768c47d526e4c080b7d35b4c9e7eeb63b8dcf0038d7d

    72023e9829b0de93cf9f057858cac1bcd4a0499b018fb81406e08cd3053ae55b

    662d4e58e95b7b27eb961f3d81d299af961892c74bc7a1f2bb7a8f2442030d0e

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    c679b408275f9624602702f5601954f3b51efbb1acc505950ee88175854e783f

    666122c39b2fd4499678105420e21b938f0f62defdbc85275e14156ae69539d6

    8007b94d367b7dbacaac4c1da0305b489f0f3f7a38770dcdb68d5824fe33d041

    072e08b38a18a00d75b139a5bbb18ac4aa891f4fd013b55bfd3d6747e1ba0a27

    6c50fcf14af7f984a152016498bf4096dd1f71e9d35000301b8319bd50f7f6d0

    04a072481ebda2aa8f9e0dac371847f210199a503bf31950d796901d5dbe9d58

    19df5436972b330910f7cb9856ef5fb17320f50b6ced68a76faecddcafa7dcd7

    7fbab71fcc454401f6c3db91ed0afb0027266d5681c23900894f1002ceca389a

    e5a6deec56095d0ae702655ea2899c752f4a0735f9077605d933a04d45cd7e24

    7361c6861fdb08cab819b13bf2327bc82eebdd70651c7de1aed18515c1700d97

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    dstipaddress IN ("62.171.153.47","91.92.242.200") or srcipaddress IN ("62.171.153.47","91.92.242.200")

    Detection Query 2 :

    sha256hash IN ("20c1819c2fb886375d9504b0e7e5debb87ec9d1a53073b1f3f36dd6a6ac3f427","666122c39b2fd4499678105420e21b938f0f62defdbc85275e14156ae69539d6","9f2cfc65b480695aa2fd847db901e6b1135b5ed982d9942c61b629243d6830dd","148f199591b9a696197ec72f8edb0cf4f90c5dcad0805cfab4a660f65bf27ef3","574a17028b28fdf860e23754d16ede622e4e27bac11d33dbf5c39db501dfccdc","3f014aa3e339d33760934f180915045daf922ca8ae07531c8e716608e683d92d","847846a0f0c76cf5699342a066378774f1101d2fb74850e3731dc9b74e12a69d","5a6b08d42cc8296b32034b132bab18d201a48c1628df3200e869722506dd4ec6","e11bcba19ac628ae1d0b56e43646ae1b5da2ccc1da5162e6719d4b7d68d37096","0bb7d4d8a9c8f6b3622d07ae9892aa34dc2d0171209e2829d7d39d5024fd79ef","9fdaf64180b7d02b399d2a92f1cdd062af2e6584852ea597c50194b62cca3c0b","b3ee445675fce1fccf365a7b681b316124b1a5f0a7e87042136e91776b187f39","5a6b08d42cc8296b32034b132bab18d201a48c1628df3200e869722506dd4ec6","5a6b08d42cc8296b32034b132bab18d201a48c1628df3200e869722506dd4ec6","3ba88f92a87c0bb01b13754190c36d8af7cd047f738ebb3d6f975960fe7614d6","5a6b08d42cc8296b32034b132bab18d201a48c1628df3200e869722506dd4ec6","e11bcba19ac628ae1d0b56e43646ae1b5da2ccc1da5162e6719d4b7d68d37096","4069eaadc94efb5be43b768c47d526e4c080b7d35b4c9e7eeb63b8dcf0038d7d","72023e9829b0de93cf9f057858cac1bcd4a0499b018fb81406e08cd3053ae55b","662d4e58e95b7b27eb961f3d81d299af961892c74bc7a1f2bb7a8f2442030d0e","e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","c679b408275f9624602702f5601954f3b51efbb1acc505950ee88175854e783f","8007b94d367b7dbacaac4c1da0305b489f0f3f7a38770dcdb68d5824fe33d041","072e08b38a18a00d75b139a5bbb18ac4aa891f4fd013b55bfd3d6747e1ba0a27","6c50fcf14af7f984a152016498bf4096dd1f71e9d35000301b8319bd50f7f6d0","04a072481ebda2aa8f9e0dac371847f210199a503bf31950d796901d5dbe9d58","19df5436972b330910f7cb9856ef5fb17320f50b6ced68a76faecddcafa7dcd7","7fbab71fcc454401f6c3db91ed0afb0027266d5681c23900894f1002ceca389a","e5a6deec56095d0ae702655ea2899c752f4a0735f9077605d933a04d45cd7e24","7361c6861fdb08cab819b13bf2327bc82eebdd70651c7de1aed18515c1700d97")

    Reference: 

    https://cyble.com/blog/shadowhs-fileless-linux-post-exploitation-framework/


    Tags

    MalwareExploitCryptominingExfiltration

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.