ShadowHS
ShadowHS is a fileless Linux post-exploitation framework documented by Cyble Research & Intelligence Labs in January 2026. It uses a highly obfuscated, multi-stage encrypted shell loader to decrypt and execute a weaponized variant of the open-source hackshell payload entirely in memory, including execution via anonymous file descriptors under /proc, leaving no persistent payload binary on disk. The loader performs runtime dependency checks for tools such as OpenSSL, Perl, and gunzip, reconstructs the payload through AES-256-CBC decryption, Perl/gzip processing, and byte-offset skipping, and can spoof argv[0] to disguise execution, often as python3.
The framework is designed for stealthy, long-term, operator-controlled access to compromised Linux systems, especially server environments. Reported capabilities include host and security-tool fingerprinting, reconnaissance, credential theft, privilege escalation, lateral movement including SSH-based scanning and brute-forcing, memory dumping for credential extraction, covert data staging and exfiltration, and cryptomining support. ShadowHS also includes anti-competition logic to identify and terminate rival malware, including XMRig, Kinsing, and Ebury, and checks for kernel rootkits, AppArmor, loaded modules, deleted or memfd-backed executables, and numerous EDR/AV products including CrowdStrike, Elastic Agent, Sophos, Cortex XDR, WithSecure, Wazuh, Rapid7, Microsoft Defender for Endpoint, Tanium, Cybereason, and others.
For covert transfer operations, ShadowHS abuses GSocket user-space tunneling with rsync rather than direct SSH/SCP/SFTP, using a hardcoded rendezvous endpoint at 62.171.153[.]47. Reported infrastructure and operational IOCs include 91.92.242[.]200 for payload staging and mining-related infrastructure at 204.93.253[.]180 on ports 4080, 3080, and 1080, as well as zergpool kawpow endpoints on port 3638. The malware has been described as intentionally restrained at runtime, exposing an interactive post-exploitation environment while keeping higher-risk functionality dormant or operator-invoked, which researchers assessed as indicative of deliberate tradecraft rather than commodity botnet activity.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
7 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 technique
Execution
Stealth
2 techniques
Stealth
Discovery
1 technique
Discovery
Collection
1 technique
Collection
Exfiltration
1 technique
Exfiltration
Recent activity
13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as a structurally similar malware to the initial loader used in the intrusion chain; the loader executes a script to decrypt a memory-resident dropper that launches ClipXDaemon.
Linux threat (documented Jan 2026) associated with a loader structure and used to deploy post-exploitation tooling against server environments; shares a bincrypter-based staging wrapper with ClipXDaemon but has different operational goals.
Linux malware family previously observed using encrypted shell-script loaders (bincrypter output) to execute in-memory post-exploitation tooling ("weaponized hackshell") targeting server environments; referenced here mainly for loader-structure overlap with ClipXDaemon rather than shared authorship.
A malware family previously observed using encrypted shell loaders to execute an in-memory weaponized hackshell payload against server environments for post-exploitation activity.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.