Cyble Research & Intelligence Labs (CRIL) has uncovered a sophisticated Linux intrusion framework dubbed ShadowHS — a stealthy, fileless post-exploitation tool that executes entirely from memory, leaving virtually no traces on disk. This discovery highlights the growing sophistication of Linux-targeted threats and the challenges they pose for traditional security tools.
What Makes ShadowHS Different
Unlike conventional Linux malware that prioritizes automated propagation or immediate monetization, ShadowHS focuses on stealth, operator safety, and long-term interactive control. The framework represents a significant evolution in Linux attack tooling:
- Fileless execution — The payload runs exclusively from anonymous file descriptors, never touching the disk
- argv[0] spoofing — Disguises its process name to evade detection
- AES-256-CBC encryption — Payload encrypted with password-protected strong encryption
- Multi-stage loader — Leverages OpenSSL, Perl, and gzip for decryption and decompression
Advanced Defensive Evasion
ShadowHS includes aggressive fingerprinting capabilities for commercial EDR and AV products, suggesting operators expect to encounter defended enterprise environments. The framework detects:
- CrowdStrike Falcon Sensor
- Sophos Intercept X & SPL
- Microsoft Defender (mdatp)
- Cybereason, Elastic Agent, Cortex XDR
- WithSecure, Wazuh, Rapid7
- LimaCharlie, Tanium, and cloud vendor agents
Dormant But Dangerous Capabilities
While runtime behavior remains deliberately conservative, payload analysis reveals extensive dormant capabilities that can be invoked on-demand:
- Credential theft — Targeting AWS credentials, SSH keys, GitLab, WordPress databases, Docker, Proxmox VMs
- Memory dumping — Extracts credentials and secrets from live processes
- Lateral movement — SSH-based network scanning with support for legacy cryptographic algorithms
- Privilege escalation — Downloads kernel exploits from C2 infrastructure
- Cryptomining — Multiple CPU and GPU mining workflows including XMRig, GMiner, and lolMiner
Anti-Competition Logic
ShadowHS actively hunts for competing malware families like Rondo and Kinsing, detects kernel rootkits via LKM checks, and contains explicit logic to detect and terminate the Ebury backdoor — a well-known OpenSSH credential-stealing threat. This “malware vs malware” capability suggests operators want exclusive control over compromised systems.
Covert Data Exfiltration
Perhaps most concerning, the framework includes operator-driven exfiltration mechanisms that abuse user-space tunneling (GSocket) to stage or extract data — completely bypassing traditional firewall controls and endpoint monitoring.
Why This Matters
The tradecraft observed in ShadowHS aligns more closely with advanced red-team frameworks than commodity Linux malware. Key implications:
- Traditional file-based detection methods will miss fileless threats
- Linux servers require runtime threat detection and memory analysis
- EDR/AV fingerprinting means attackers are preparing for defended environments
- The separation of restrained runtime behavior and extensive dormant capabilities indicates mature operator tradecraft
For defenders: Deploy runtime threat detection capable of identifying fileless execution via memfd_create combined with execveat. Monitor for anomalous /proc/<pid>/fd execution patterns and implement kernel integrity monitoring.
