Sophisticated Fileless Trojan ShadowHS Stealthily Takes Over Linux Systems
February 2, 2026 — by Ekaterina Bystrova
Researchers have reported the emergence of a new fileless framework called ShadowHS that targets Linux systems. The malware operates entirely in memory, leaving virtually no forensic traces and disguising itself by using legitimate process names. ShadowHS is deliberately low-profile: it first surveys the environment and checks for the presence of security solutions such as CrowdStrike, Sophos, and Microsoft Defender, and only then acts on commands from its operator. Traditional antivirus techniques are largely ineffective against it; effective detection requires behavioral analysis and in-memory monitoring.
Cocoon AI Summary
Researchers have uncovered ShadowHS, an advanced fileless framework for attacking Linux systems that stands out markedly from conventional malware. This is not just another binary that can be detected by antivirus software, but a full-fledged post-exploitation tool designed to operate entirely in memory and remain stealthy over long periods within hardened corporate environments.
According to Cyble Research & Intelligence Labs, ShadowHS is a heavily modified and “weaponized” version of the hackshell utility. During infection, the malware never writes files to disk. Instead, it executes from anonymous file descriptors and disguises its process name as legitimate applications such as python3, allowing it to bypass file integrity monitoring and traditional security mechanisms.
The infection chain begins with a multi-stage shell loader, in which the payload is encrypted using AES-256-CBC. Upon execution, the loader checks for required dependencies such as OpenSSL, Perl, and gzip, determines the execution context, and only then reconstructs the payload through a complex decoding chain. Execution takes place directly from memory—via /proc/<pid>/fd/<fd>—leaving no artifacts on the filesystem.
The defining characteristic of ShadowHS is its deliberately “restrained” behavior. Unlike mass‑distributed malware, it does not immediately start cryptocurrency mining or data exfiltration. Instead, the framework begins with in‑depth environmental reconnaissance: it searches for security controls, analyzes system configuration, and reports its findings back to the operator, who then manually decides on the next steps. This approach closely resembles the actions of a human attacker rather than those of an automated bot.
ShadowHS actively checks for the presence of enterprise security solutions, including CrowdStrike Falcon, Sophos Intercept X, Microsoft Defender, Elastic Agent, Wazuh, Tanium, and various cloud provider agents. These checks involve inspecting file paths, service states, and overall system conditions. In parallel, the malware “cleans the territory” by identifying and terminating processes belonging to competing malware families, such as Kinsing, Rondo, and the notorious Ebury backdoor, as well as detecting traces of rootkits and previous compromises.
Particular attention should be paid to its data exfiltration mechanism. Instead of relying on standard tools like SSH, SCP, or SFTP, ShadowHS uses custom GSocket tunnels. File transfers are routed through a predefined rendezvous point and masqueraded as local connections, which are intercepted by GSocket before reaching the network stack. This technique allows the malware to bypass firewalls and network monitoring tools without creating obvious external network sessions.
If the operator chooses to activate the “heavy” modules, ShadowHS can deploy multiple cryptocurrency miners, including XMRig, XMR‑Stak, GMiner, and lolMiner. For lateral movement, it pulls in tools such as Rustscan. The codebase also contains dormant modules designed to steal AWS credentials, SSH keys, and data from platforms like GitLab, WordPress, Bitrix, Docker, Proxmox, OpenVZ, as well as cloud metadata services.
Due to its fully fileless architecture, traditional signature‑based security tools are largely ineffective against ShadowHS. Effective detection requires behavioral analysis, in‑memory execution monitoring, and kernel‑level telemetry. Experts recommend paying close attention to anomalous process lineage, manipulated launch arguments, and unusual use of mechanisms such as memfd.
February 2, 2026 — by Ekaterina Bystrova
Researchers have reported the emergence of a new fileless framework called ShadowHS that targets Linux systems. The malware operates entirely in memory, leaving virtually no forensic traces and disguising itself by using legitimate process names. ShadowHS is deliberately low-profile: it first surveys the environment and checks for the presence of security solutions such as CrowdStrike, Sophos, and Microsoft Defender, and only then acts on commands from its operator. Traditional antivirus techniques are largely ineffective against it; effective detection requires behavioral analysis and in-memory monitoring.
Cocoon AI Summary
Researchers have uncovered ShadowHS, an advanced fileless framework for attacking Linux systems that stands out markedly from conventional malware. This is not just another binary that can be detected by antivirus software, but a full-fledged post-exploitation tool designed to operate entirely in memory and remain stealthy over long periods within hardened corporate environments.
According to Cyble Research & Intelligence Labs, ShadowHS is a heavily modified and “weaponized” version of the hackshell utility. During infection, the malware never writes files to disk. Instead, it executes from anonymous file descriptors and disguises its process name as legitimate applications such as python3, allowing it to bypass file integrity monitoring and traditional security mechanisms.
The infection chain begins with a multi-stage shell loader, in which the payload is encrypted using AES-256-CBC. Upon execution, the loader checks for required dependencies such as OpenSSL, Perl, and gzip, determines the execution context, and only then reconstructs the payload through a complex decoding chain. Execution takes place directly from memory—via /proc/<pid>/fd/<fd>—leaving no artifacts on the filesystem.
The defining characteristic of ShadowHS is its deliberately “restrained” behavior. Unlike mass‑distributed malware, it does not immediately start cryptocurrency mining or data exfiltration. Instead, the framework begins with in‑depth environmental reconnaissance: it searches for security controls, analyzes system configuration, and reports its findings back to the operator, who then manually decides on the next steps. This approach closely resembles the actions of a human attacker rather than those of an automated bot.
ShadowHS actively checks for the presence of enterprise security solutions, including CrowdStrike Falcon, Sophos Intercept X, Microsoft Defender, Elastic Agent, Wazuh, Tanium, and various cloud provider agents. These checks involve inspecting file paths, service states, and overall system conditions. In parallel, the malware “cleans the territory” by identifying and terminating processes belonging to competing malware families, such as Kinsing, Rondo, and the notorious Ebury backdoor, as well as detecting traces of rootkits and previous compromises.
Particular attention should be paid to its data exfiltration mechanism. Instead of relying on standard tools like SSH, SCP, or SFTP, ShadowHS uses custom GSocket tunnels. File transfers are routed through a predefined rendezvous point and masqueraded as local connections, which are intercepted by GSocket before reaching the network stack. This technique allows the malware to bypass firewalls and network monitoring tools without creating obvious external network sessions.
If the operator chooses to activate the “heavy” modules, ShadowHS can deploy multiple cryptocurrency miners, including XMRig, XMR‑Stak, GMiner, and lolMiner. For lateral movement, it pulls in tools such as Rustscan. The codebase also contains dormant modules designed to steal AWS credentials, SSH keys, and data from platforms like GitLab, WordPress, Bitrix, Docker, Proxmox, OpenVZ, as well as cloud metadata services.
Due to its fully fileless architecture, traditional signature‑based security tools are largely ineffective against ShadowHS. Effective detection requires behavioral analysis, in‑memory execution monitoring, and kernel‑level telemetry. Experts recommend paying close attention to anomalous process lineage, manipulated launch arguments, and unusual use of mechanisms such as memfd.
