hackshell

hackshell is an open-source post-exploitation tool that, in the ShadowHS Linux intrusion chain reported by Cyble Research & Intelligence Labs (CRIL), is deployed as a heavily modified/weaponized in-memory payload to provide an interactive, operator-driven post-exploitation environment on compromised Linux servers. In ShadowHS, hackshell is delivered by a highly obfuscated, multi-stage POSIX shell loader that validates dependencies (openssl, perl, gunzip), reconstructs an embedded high-entropy payload via staged transformations (including Perl and gzip), decrypts it with AES-256-CBC (using an embedded Base64 password and encrypted control blob, and a decrypted byte-offset value R=4817 to skip a header), and executes it filelessly from anonymous file descriptors via /proc/<pid>/fd/<fd>. The loader also spoofs argv[0] (often masquerading as python3) to hinder attribution and disk-based forensics, and is described as leaving no persistent payload binary on disk.

The weaponized hackshell payload emphasizes reconnaissance, OPSEC, and defensive awareness with intentionally restrained default behavior, but code analysis indicates extensive on-demand/dormant modules. Reported capabilities include: host and security posture fingerprinting (OS/user/PTY/privilege context; EDR/AV discovery via filesystem checks and systemd service enumeration; kernel integrity/taint and LKM/rootkit checks; enumeration of deleted or memfd-backed executables; AppArmor/module and /proc inspection); anti-competition logic to identify/terminate rival miners and in-memory implants and to detect/kill the Ebury OpenSSH credential-stealing backdoor; credential access including memory dumping for secrets and theft of artifacts such as AWS credentials, SSH keys, GitLab, Bitrix/WordPress databases, OpenStack and Yandex Cloud user data, Docker/Proxmox/OpenVZ artifacts, and user HOME data; SSH-based scanning and lateral movement (including use of Rustscan and downloading “spirit” to brute-force SSH logins with default credentials, with support for legacy crypto algorithms); privilege escalation by downloading exploits from hardcoded infrastructure (CRIL noted multiple kernel exploits and an auto-exploitation script on C2, including a referenced cve-2025-21756 exploit binary); cryptomining workflows (XMRig, XMR-Stak, GMiner, lolMiner) with pool failover; and covert operator-initiated staging/exfiltration using rsync over GSocket user-space tunnels (gs-dbus/gs-netcat) to evade firewall/egress controls and endpoint monitoring.

Observed/mentioned infrastructure and IOCs in the report include payload staging 91.92.242[.]200; GSocket rendezvous/operations relay 62.171.153[.]47 (used with an operator-supplied token $rsynccode for rsync tunneling); and mining infrastructure 204.93.253[.]180 (ports 4080/3080/1080) and zergpool kawpow endpoints (na/as/eu) on port 3638. CRIL also listed multiple SHA-256 hashes for the loader/payload and auxiliary tools (Rustscan, spirit, miner components, exploit tools).