Researchers Uncover SuperShell Payloads and Various Tools in Hacker’s Open Directories

Cybersecurity researchers at Hunt have uncovered a server hosting advanced malicious tools, including SuperShell command-and-control (C2) payloads and a Linux ELF Cobalt Strike beacon.

The discovery, originating from a routine search for open-source proxy software, highlights the pervasive risks of unsecured infrastructure and the sophistication of modern cyber threats.

Hunt’s continuous scanning of public IPv4 space identified an open directory containing IOX, an open-source proxy tool, alongside two malicious files: ps1 and ps2 (UPX-packed SuperShell payloads) and a file labeled test (a Cobalt Strike beacon).

The server’s exposure provided a rare glimpse into attacker infrastructure, with Hunt’s platform already flagging associated IPs as malicious.

SuperShell, a Python-based C2 framework, enables attackers to manage compromised devices via SSH, compile cross-platform payloads, and deploy a web-based admin panel.

Despite its low visibility compared to tools like Cobalt Strike, its capabilities make it a potent threat. Hunt’s detection of over 100 SuperShell servers underscores its growing adoption among adversaries.

Analysis of the ps1 and ps2 files revealed Golang executables packed with UPX, which unpacked to SuperShell backdoors detected by antivirus engines as GOREVERSE. Key findings from this analysis include:

• The samples communicated with the IP 124.70.143[.]234 on port 3232, indicating active command-and-control infrastructure.
• The server also hosted Asset Reconnaissance Lighthouse (ARL), a red-teaming tool for network vulnerability mapping.
• Open ports included 5003 for ARL and 8888 for SuperShell’s admin panel, suggesting attackers combined reconnaissance and exploitation phases.
• Hunt’s platform highlighted the server’s ARL login interface and SuperShell dashboard, both of which were publicly accessible.

This infrastructure overlap indicates a coordinated effort to identify targets, deploy payloads, and maintain persistent access-a hallmark of advanced persistent threats (APTs).

Cobalt Strike Beacon and Evasive Infrastructure

The test file, a UPX-packed Linux ELF binary, was identified as a Cobalt Strike beacon connecting to 8.219.177[.]40:443.

Unlike the SuperShell samples, this beacon used a self-signed certificate masquerading as jquery.com, a tactic to evade certificate scrutiny. By the time researchers investigated, the server had been deactivated, limiting further analysis.

Cobalt Strike’s association with ransomware and espionage groups raises concerns about the payload’s intent.

The coexistence of SuperShell and Cobalt Strike on one server suggests attackers may diversify tools to maximize intrusion success.

Hunt’s historical data shows such infrastructures often resurface under new IPs, emphasizing the need for continuous monitoring.

Implications for Cybersecurity Defense

This discovery underscores the critical role of open directory scanning in threat intelligence. By mapping exposed servers, Hunt provides defenders with real-time insights into emerging threats.

The integration of ARL with SuperShell and Cobalt Strike also reveals adversaries’ increasing reliance on layered attacks-combining reconnaissance, exploitation, and post-compromise tooling.

For organizations, the findings stress the importance of securing internet-facing services and monitoring certificate anomalies.

Hunt’s public platform, which catalogs malicious IPs and payloads, offers a proactive defense mechanism against such threats.

As cybercriminals evolve, collaborations between researchers and defensive teams become vital to dismantling attacker infrastructure.

Hunt’s investigation not only exposes current threats but also sets a precedent for future threat-hunting methodologies.