Supershell C2
Supershell C2 is a command-and-control payload referenced in the context of active exploitation of Gogs vulnerability CVE-2025-8110. The reported tradecraft involves attackers creating random-named repositories, leveraging low-privilege access on exposed Gogs instances, and deploying Supershell C2 after exploitation to establish persistence, including persistent reverse SSH access. The content ties its observed use to automated attacks against internet-facing self-hosted Gogs servers following public disclosure of CVE-2025-8110 in late 2025. The affected environment is Gogs versions up to 0.13.3, where improper symbolic link handling in the PutContents API can allow authenticated attackers to overwrite files outside repository boundaries and achieve remote code execution. High-confidence behavioral details in the content are limited to post-exploitation deployment for persistence and reverse SSH access; no additional malware family lineage, platform support, or standalone indicators of compromise specific to Supershell C2 are provided.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A command-and-control (C2) payload reportedly deployed post-exploitation to maintain persistence on compromised Gogs servers.
C2 payload/framework providing persistent reverse-SSH style access; deployed after exploitation of Gogs CVE-2025-8110.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.