In Plain Sight: Uncovering SuperShell & Cobalt Strike from an Open Directory

Published on

Published on

Published on

Apr 16, 2024

Apr 16, 2024

Apr 16, 2024

In Plain Sight: Uncovering SuperShell & Cobalt Strike from an Open Directory
In Plain Sight: Uncovering SuperShell & Cobalt Strike from an Open Directory
In Plain Sight: Uncovering SuperShell & Cobalt Strike from an Open Directory
In Plain Sight: Uncovering SuperShell & Cobalt Strike from an Open Directory

In Plain Sight: Uncovering SuperShell & Cobalt Strike from an Open Directory

Hunt scans every corner of the public IPV4 space and constantly scours the Internet for open directories. Through this effort, we have amassed over 41 million files, readily available for viewing and download by users. Our continuous scanning provides unparalleled insight into the web's often-overlooked areas.

While searching for open directories hosting copies of IOX, an open-source proxy and port forwarding tool, we stumbled upon an exposed server containing two SuperShell payloads, also referred to as GOREVERSE by Google/Mandiant, and a Linux ELF Cobalt Strike beacon.

In this post, we'll navigate through the server's files and folders and unearth additional infrastructure that has already been tagged as malicious in the Hunt platform.

A Brief Intro to SuperShell & Locating Panels

SuperShell was introduced on GitHub just over a year ago. Despite its low profile compared to other open-source C2 projects, its capabilities are no less formidable. The project's features include a Python-based server, an easy-to-use administrative panel, C2 communication over Secure Shell (SSH), and the ability to compile payloads for all major operating systems, including Android. Given its robust features, SuperShell is a framework that warrants the attention of defenders and researchers.

httpshuntioimagesblogssupershellimg-1-3webpFigure 1: Snippet of SuperShell README on GitHub

As SuperShell operates as a web-based command and control framework, tracking its servers is relatively straightforward. At its most basic level, identifying login panels involves looking for servers whose responses feature the URI pattern /supershell/login, coupled with the presence of 'supershell' within the HTTP response.

Current Hunt members can enjoy access to various red team tools, C2 frameworks, and over 100 unique SuperShell C2 servers, all available with a few mouse clicks.

httpshuntioimagesblogssupershellimg-2-3webpFigure 2: Screenshot of just a few SuperShell C2 servers tracked by Hunt

Inside The Open Directory

ps1 & ps2

httpshuntioimagesblogssupershellimg-3-3webpFigure 3: Screenshot of open directory in Hunt

The above screenshot reveals the contents of the open directory, notably the IOX binary -- the initial catalyst for our investigative journey. While the directory hosts an array of files and folders, each with potential significance, today's post hones in on three specific entities: the 'ps1', 'ps2', and "test" files.

'ps1' consists of a UPX-packed ELF 64-bit Golang executable. The unpacked file is detected as SuperShell in VirusTotal and as GOREVERSE by the THOR APT Scanner (check the comments section).

httpshuntioimagesblogssupershellimg-4-3webpFigure 4: VirusTotal results and comments for unpacked ELF file

The behavior tab in VirusTotal reveals that the backdoor establishes communication with the IP address 124.70.143[.]234 over port 3232. Discovering additional malicious infrastructure provides an opportunity to begin profiling the actor for patterns in hosting services and preferred offensive security tooling frameworks.

httpshuntioimagesblogssupershellimg-5-3webpFigure 5: Screenshot of the SuperShell C2 in Hunt

Figure 5 shows several open ports for the C2 infrastructure, including 5003, already detected by Hunt (the red bug image next to the magnifying glass) as ARL or Asset Reconnaissance Lighthouse, a tool designed to assist red teamers in discovering weak points in a network for exploitation.

httpshuntioimagesblogssupershellimg-6-3webpFigure 6: Screenshot of ARL login

The SuperShell administrative login is hosted at port 8888.

httpshuntioimagesblogssupershellimg-7-3webpFigure 7: Screenshot of SuperShell login

Interestingly, the findings for the 'ps2' file mirror those of 'ps1' exactly, including identical detections and the same C2 IP and port details; for that, we'll skip analyzing 'ps2'.

For detailed information on the properties of all files discussed in this post, please refer to the tables at the end.

test

The 'test' file, another UPX-packed ELF 64-bit executable, differs from the previous files. Detected as a Cobalt Strike beacon, it notably communicates with an IP address distinct from the SuperShell infrastructure. The VirusTotal community score and the IP address the sample reaches out to can be found below in Figure 8.

httpshuntioimagesblogssupershellimg-8-3webpFigure 8: VirusTotal screenshot of Cobalt Strike infrastructure

The beacon connects to 8.219.177[.]40 over port 443 and uses a self-signed certificate. Unfortunately, by the time we checked this IP out, the teamserver had already been taken down.

Details of the certificate are below:

Issuer: OU=Certificate Authority, CN=jquery.com, O=jQuery, C=US
Subject: OU=Certificate Authority, CN=jquery.com, O=jQuery, C=US

httpshuntioimagesblogssupershellimg-9-3webpFigure 9: Screenshot of Cobalt Strike infrastructure in Hunt

Conclusion

What started with a focused search for IOX proxy binaries in open directories soon unfolded into discovering a hidden trove of malicious files, notably SuperShell and Cobalt Strike. After analyzing the files, we identified additional threat actor infrastructure, including ARL, which implies possible reconnaissance actions on a victim system after initial access.

If you haven't already applied for a Hunt account, we invite you to do so today. Join us as we continue to pursue and unravel connections related to malicious infrastructure.

Network Indicators

IP AddressProviderIndicator
123.60.58[.]50:8888Huawei Public Cloud ServiceOpen Directory
124.70.143[.]234:8888Huawei Public Cloud ServiceSuperShell Panel
8.219.177[.]40:443Alibaba Cloud (Singapore) Private LimitedCobalt Strike C2

File Indicators

FilenameMD5
ps191757c624776224b71976ec09034e804
ps28e732006bd476ce820c9c4de14412f0d
test770a2166ff4b5ece03a42c756360bd28
iox.exe0095c9d4bc45fed4080e72bd46876efd
winlog2.exe8f2df5c6cec499f65168fae5318dc572
vagent.jar6dcfd2dd537b95a6b9eac5cb1570be27

Hunt scans every corner of the public IPV4 space and constantly scours the Internet for open directories. Through this effort, we have amassed over 41 million files, readily available for viewing and download by users. Our continuous scanning provides unparalleled insight into the web's often-overlooked areas.

While searching for open directories hosting copies of IOX, an open-source proxy and port forwarding tool, we stumbled upon an exposed server containing two SuperShell payloads, also referred to as GOREVERSE by Google/Mandiant, and a Linux ELF Cobalt Strike beacon.

In this post, we'll navigate through the server's files and folders and unearth additional infrastructure that has already been tagged as malicious in the Hunt platform.

A Brief Intro to SuperShell & Locating Panels

SuperShell was introduced on GitHub just over a year ago. Despite its low profile compared to other open-source C2 projects, its capabilities are no less formidable. The project's features include a Python-based server, an easy-to-use administrative panel, C2 communication over Secure Shell (SSH), and the ability to compile payloads for all major operating systems, including Android. Given its robust features, SuperShell is a framework that warrants the attention of defenders and researchers.

httpshuntioimagesblogssupershellimg-1-3webpFigure 1: Snippet of SuperShell README on GitHub

As SuperShell operates as a web-based command and control framework, tracking its servers is relatively straightforward. At its most basic level, identifying login panels involves looking for servers whose responses feature the URI pattern /supershell/login, coupled with the presence of 'supershell' within the HTTP response.

Current Hunt members can enjoy access to various red team tools, C2 frameworks, and over 100 unique SuperShell C2 servers, all available with a few mouse clicks.

httpshuntioimagesblogssupershellimg-2-3webpFigure 2: Screenshot of just a few SuperShell C2 servers tracked by Hunt

Inside The Open Directory

ps1 & ps2

httpshuntioimagesblogssupershellimg-3-3webpFigure 3: Screenshot of open directory in Hunt

The above screenshot reveals the contents of the open directory, notably the IOX binary -- the initial catalyst for our investigative journey. While the directory hosts an array of files and folders, each with potential significance, today's post hones in on three specific entities: the 'ps1', 'ps2', and "test" files.

'ps1' consists of a UPX-packed ELF 64-bit Golang executable. The unpacked file is detected as SuperShell in VirusTotal and as GOREVERSE by the THOR APT Scanner (check the comments section).

httpshuntioimagesblogssupershellimg-4-3webpFigure 4: VirusTotal results and comments for unpacked ELF file

The behavior tab in VirusTotal reveals that the backdoor establishes communication with the IP address 124.70.143[.]234 over port 3232. Discovering additional malicious infrastructure provides an opportunity to begin profiling the actor for patterns in hosting services and preferred offensive security tooling frameworks.

httpshuntioimagesblogssupershellimg-5-3webpFigure 5: Screenshot of the SuperShell C2 in Hunt

Figure 5 shows several open ports for the C2 infrastructure, including 5003, already detected by Hunt (the red bug image next to the magnifying glass) as ARL or Asset Reconnaissance Lighthouse, a tool designed to assist red teamers in discovering weak points in a network for exploitation.

httpshuntioimagesblogssupershellimg-6-3webpFigure 6: Screenshot of ARL login

The SuperShell administrative login is hosted at port 8888.

httpshuntioimagesblogssupershellimg-7-3webpFigure 7: Screenshot of SuperShell login

Interestingly, the findings for the 'ps2' file mirror those of 'ps1' exactly, including identical detections and the same C2 IP and port details; for that, we'll skip analyzing 'ps2'.

For detailed information on the properties of all files discussed in this post, please refer to the tables at the end.

test

The 'test' file, another UPX-packed ELF 64-bit executable, differs from the previous files. Detected as a Cobalt Strike beacon, it notably communicates with an IP address distinct from the SuperShell infrastructure. The VirusTotal community score and the IP address the sample reaches out to can be found below in Figure 8.

httpshuntioimagesblogssupershellimg-8-3webpFigure 8: VirusTotal screenshot of Cobalt Strike infrastructure

The beacon connects to 8.219.177[.]40 over port 443 and uses a self-signed certificate. Unfortunately, by the time we checked this IP out, the teamserver had already been taken down.

Details of the certificate are below:

Issuer: OU=Certificate Authority, CN=jquery.com, O=jQuery, C=US
Subject: OU=Certificate Authority, CN=jquery.com, O=jQuery, C=US

httpshuntioimagesblogssupershellimg-9-3webpFigure 9: Screenshot of Cobalt Strike infrastructure in Hunt

Conclusion

What started with a focused search for IOX proxy binaries in open directories soon unfolded into discovering a hidden trove of malicious files, notably SuperShell and Cobalt Strike. After analyzing the files, we identified additional threat actor infrastructure, including ARL, which implies possible reconnaissance actions on a victim system after initial access.

If you haven't already applied for a Hunt account, we invite you to do so today. Join us as we continue to pursue and unravel connections related to malicious infrastructure.

Network Indicators

IP AddressProviderIndicator
123.60.58[.]50:8888Huawei Public Cloud ServiceOpen Directory
124.70.143[.]234:8888Huawei Public Cloud ServiceSuperShell Panel
8.219.177[.]40:443Alibaba Cloud (Singapore) Private LimitedCobalt Strike C2

File Indicators

FilenameMD5
ps191757c624776224b71976ec09034e804
ps28e732006bd476ce820c9c4de14412f0d
test770a2166ff4b5ece03a42c756360bd28
iox.exe0095c9d4bc45fed4080e72bd46876efd
winlog2.exe8f2df5c6cec499f65168fae5318dc572
vagent.jar6dcfd2dd537b95a6b9eac5cb1570be27

Related Posts:

From Munitions to Malware: Joseph Harrison on Threat Detection & Digital Forensics
Oct 23, 2025

In this interview, Joseph Harrison shares how his Air Force-minted discipline fuels his work in threat detection and digital forensics, and how he leverages Hunt.io’s data (especially JA4) to catch adversaries others miss.

From Munitions to Malware: Joseph Harrison on Threat Detection & Digital Forensics
Oct 23, 2025

In this interview, Joseph Harrison shares how his Air Force-minted discipline fuels his work in threat detection and digital forensics, and how he leverages Hunt.io’s data (especially JA4) to catch adversaries others miss.

Introducing Hunt 2.6: IP Risk & Reputation, Smarter IOC Hunting, and Faster Integrations
Oct 20, 2025

Hunt 2.6 launches with IP Risk & Reputation, SQL download via API, integration upgrades, enhanced IP search, and much more. Keep reading.

Introducing Hunt 2.6: IP Risk & Reputation, Smarter IOC Hunting, and Faster Integrations
Oct 20, 2025

Hunt 2.6 launches with IP Risk & Reputation, SQL download via API, integration upgrades, enhanced IP search, and much more. Keep reading.

Oct 16, 2025

A large-scale macOS malware campaign mimics trusted dev tools to spread Odyssey Stealer and AMOS via fake Homebrew sites. Learn more.

Oct 16, 2025

A large-scale macOS malware campaign mimics trusted dev tools to spread Odyssey Stealer and AMOS via fake Homebrew sites. Learn more.

AdaptixC2 Uncovered: Capabilities, Tactics & Hunting Strategies
Oct 9, 2025

A deep dive into AdaptixC2: modular architecture, multi-protocol communication, evasion tactics, IOCs, and defense strategies.

AdaptixC2 Uncovered: Capabilities, Tactics & Hunting Strategies
Oct 9, 2025

A deep dive into AdaptixC2: modular architecture, multi-protocol communication, evasion tactics, IOCs, and defense strategies.

From Munitions to Malware: Joseph Harrison on Threat Detection & Digital Forensics
Oct 23, 2025

In this interview, Joseph Harrison shares how his Air Force-minted discipline fuels his work in threat detection and digital forensics, and how he leverages Hunt.io’s data (especially JA4) to catch adversaries others miss.

Introducing Hunt 2.6: IP Risk & Reputation, Smarter IOC Hunting, and Faster Integrations
Oct 20, 2025

Hunt 2.6 launches with IP Risk & Reputation, SQL download via API, integration upgrades, enhanced IP search, and much more. Keep reading.