A comprehensive scan of the public IPv4 space by the Hunt platform has led to a significant discovery of malicious cyber infrastructure and tools, including the elusive SuperShell command-and-control (C2) payload.
By scanning open directories and indexing over 41 million files, Hunt researchers identified a server hosting dangerous binaries and artifacts often used by advanced persistent threat (APT) actors.
While initially searching for IOX, an open-source proxy and port-forwarding utility, analysts encountered an open directory containing two SuperShell payloads-also known as GOREVERSE, per Google/Mandiant nomenclature-and a Linux ELF Cobalt Strike beacon.
SuperShell, introduced on GitHub as a Python-based C2 framework, offers features such as a web-based control panel, SSH C2 communications, and cross-platform payload compilation, making it a powerful tool for attackers.
Discovery and Analysis of Open Directory Payloads
Upon examining the open directory, researchers found several files, including ‘ps1’, ‘ps2’, and a ‘test’ binary. Both ‘ps1’ and ‘ps2’ were UPX-packed, 64-bit ELF Go executables, detected by VirusTotal as variants of SuperShell/GOREVERSE.
Dynamic analysis revealed that these backdoors communicated with remote infrastructure at 124.70.143[.]234 over TCP port 3232, implying an operational C2 component.
The investigation further uncovered that the broader C2 infrastructure leveraged additional ports, such as 5003, associated with Asset Reconnaissance Lighthouse (ARL), an offensive tool for mapping and exploiting network weaknesses.
The SuperShell administrative interface was identified on port 8888, confirming the presence of an actively managed C2 panel.
Notably, both ‘ps1’ and ‘ps2’ samples were found to be functionally identical, which suggests redundancy or load balancing within the attacker’s deployment.
Cobalt Strike Beacon and Additional Threat Infrastructure
The ‘test’ binary, another UPX-packed ELF executable, contrasted sharply with the SuperShell payloads.
Identified as a Cobalt Strike beacon, the sample communicated with 8.219.177[.]40 over HTTPS (port 443), utilizing a fraudulent certificate masquerading as “jquery.com.”
By the time the research team investigated, the associated Cobalt Strike team server had been decommissioned, but its presence linked the exposed directory to potentially broader, multi-stage operations.
Analysis of these findings underlines the degree of carelessness or confidence exhibited by threat actors in leaving such potent tools exposed.
The overlap of public cloud infrastructure, sophisticated C2 frameworks, and well-known attacker tooling highlights the utility of vigilant internet-wide scanning and open directory monitoring for threat intelligence.
The investigation demonstrates how simple reconnaissance for open-source binaries can unravel a network of malicious infrastructure, including leading C2 frameworks like SuperShell and Cobalt Strike, as well as reconnaissance utilities such as ARL.
The discovery reinforces the need for defenders and researchers to remain alert to exposed assets and to leverage community-driven platforms for intelligence sharing.
Indicators of Compromise (IOC)
| Type | Indicator | Details |
|---|---|---|
| IP Address | 123.60.58[.]50:8888 | Huawei Public Cloud / Open Directory |
| IP Address | 124.70.143[.]234:8888 | Huawei Public Cloud / SuperShell Panel |
| IP Address | 8.219.177[.]40:443 | Alibaba Cloud (Singapore) / Cobalt Strike C2 |
| File | ps1 (MD5) | 91757c624776224b71976ec09034e804 |
| File | ps2 (MD5) | 8e732006bd476ce820c9c4de14412f0d |
| File | test (MD5) | 770a2166ff4b5ece03a42c756360bd28 |
| File | iox.exe (MD5) | 0095c9d4bc45fed4080e72bd46876efd |
| File | winlog2.exe (MD5) | 8f2df5c6cec499f65168fae5318dc572 |
| File | vagent.jar (MD5) | 6dcfd2dd537b95a6b9eac5cb1570be27 |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
