Cyble Research and Intelligence Labs has revealed ShadowHS, a sophisticated fileless framework for post-exploitation on Linux systems. The tool enables stealthy, in-memory operations and long-term access for attackers. It features a weaponized version of hackshell and advanced evasion techniques.
Cyble Research and Intelligence Labs (CRIL) announced the discovery of ShadowHS on January 30, 2026. This post-exploitation framework targets Linux environments, operating entirely in memory to avoid leaving traces on disk. Unlike conventional malware, ShadowHS uses an encrypted shell loader that deploys a modified hackshell, decrypted with AES-256-CBC encryption, Perl byte skipping, and gzip decompression. The payload runs through /proc//fd/ with a spoofed argv[0], ensuring no filesystem artifacts.
Once deployed, ShadowHS focuses on initial reconnaissance, including fingerprinting host security tools like CrowdStrike, Tanium, Sophos, and Microsoft Defender, as well as cloud and OT/ICS agents. It assesses prior compromises and kernel integrity to help operators evaluate the system's security posture. CRIL describes the framework as operator-centric, with restrained runtime behavior that allows selective activation of capabilities such as credential access, lateral movement, privilege escalation, cryptomining, and data exfiltration.
“ShadowHS demonstrates a clear separation between restrained runtime activity and extensive dormant capabilities,” CRIL notes. “This is indicative of a deliberate operator-driven post-exploitation platform rather than automated malware.”
For data exfiltration, ShadowHS employs user-space tunneling over GSocket, bypassing standard network channels and firewalls. Variants include DBus-based and netcat-style tunnels, which maintain file timestamps, permissions, and partial transfer states. Dormant modules cover memory dumping for credentials, SSH-based movement with brute-force scanning, kernel exploits for escalation, and mining via XMRig, GMiner, and lolMiner. It also includes anti-competition measures to terminate rivals like Rondo, Kinsing, and Ebury backdoors.
The framework highlights vulnerabilities in Linux defenses, where traditional antivirus fails against in-memory threats. CRIL emphasizes the need for process behavior monitoring, kernel telemetry, and proactive intelligence to counter such adaptive tools.
“ShadowHS represents a fully operator-controlled, adaptive Linux framework designed for stealth and long-term access,” CRIL stated.
This discovery underscores evolving threats to Linux systems, particularly in enterprise and critical infrastructure settings.
