Cybersecurity researchers have uncovered a concerning cache of hacking tools, including SuperShell payloads and Cobalt Strike beacons, exposed in plain sight within open directories on the internet.
This discovery highlights how threat actors sometimes inadvertently expose their arsenal while setting up attack infrastructure, providing valuable intelligence for security teams worldwide.
SuperShell, a relatively low-profile command and control (C2) framework that emerged on GitHub just over a year ago, offers sophisticated capabilities despite its lesser-known status compared to other open-source C2 projects.
The framework features a Python-based server infrastructure, an intuitive administrative panel, C2 communication over Secure Shell (SSH), and impressive cross-platform compatibility, including payload compilation for all major operating systems and Android devices.
Hunt.io researchers identified the exposed server while conducting routine scans of the public IPv4 space for open directories.
Their continuous monitoring system, which has cataloged over 41 million publicly accessible files, detected the suspicious payloads while searching for instances of IOX, an open-source proxy and port forwarding tool.
Technical analysis revealed that the exposed files included UPX-packed ELF 64-bit Golang executables detected as SuperShell by multiple security vendors.
The malware establishes communication with a command and control server at IP address 124.70.143[.]234 over port 3232, hosted on Huawei Public Cloud Service.
This finding provided security researchers with valuable insights into the threat actor’s infrastructure and operational patterns.
The discovery’s significance extends beyond SuperShell, as researchers also found Cobalt Strike beacons communicating with separate infrastructure, suggesting a sophisticated threat actor leveraging multiple attack frameworks.
Deeper inspection of the identified C2 server revealed a complex infrastructure with multiple services, including the SuperShell administrative panel hosted on port 8888 and Asset Reconnaissance Lighthouse (ARL) on port 5003.
The open directory contained multiple malicious files including ‘ps1’ and ‘ps2’, both identified as SuperShell components.
The Cobalt Strike beacon, found in a file named ‘test’, utilized different infrastructure than the SuperShell components, connecting to a server disguised with a certificate claiming to represent “jquery.com” with organization listed as “jQuery” – a classic masquerading technique often employed by threat actors to avoid detection.
Hunt.io’s discovery process exemplifies how continuous scanning efforts can uncover operational security failures by threat actors, turning their mistakes into defensive advantages for the broader cybersecurity community.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
A new information-stealing malware dubbed "PupkinStealer" has been identified by cybersecurity researchers, targeting sensitive user…
The cybersecurity landscape in 2025 is defined by increasingly sophisticated malware threats, with attackers leveraging…
As artificial intelligence transforms industries and enhances human capabilities, the need for strong AI security…
Cryptocurrency exchanges are intensifying security measures in 2025 to focus on preventing phishing attacks, as…
As AI systems using adversarial machine learning integrate into critical infrastructure, healthcare, and autonomous technologies,…
NGINX monitoring tools ensure NGINX web servers' optimal performance and reliability. These tools provide comprehensive…