Security experts find a new Linux tool called ShadowHS. It runs in memory only. This hides it from normal detection.
Attackers use it to stay in hacked systems long. Cyble Research shares the details in January 2026.
ShadowHS Linux Framework: How ShadowHS Operates
ShadowHS uses smart ways to stay hidden. It loads in stages. It decrypts code with AES-256. It uses Perl and gzip to unpack.
- Encrypted shell loader decrypts payload
- Executes from /proc/<pid>/fd/<fd> path
- Spoofs argv to hide real name
- Checks for security tools like CrowdStrike
- Scans for other malware like Kinsing
ShadowHS waits for operator commands. It does recon first. It checks if the system is safe to attack.
Also read about: Malicious VS Code Extensions Steal Data From 1.5 Million Developers
Risks and How to Defend
ShadowHS lets attackers steal data and run code. It uses GSocket for hidden file sends.
- Exfiltrates data over user-space tunnels
- Dumps memory for credentials
- Scans for SSH brute-force
- Mines crypto with XMRig
- Escalates privileges via kernel exploits
Cyble says signature scans fail. Use behavior monitoring. Watch for weird file descriptors. Check argv changes. Update systems now.
The tool shows Linux threats grow. Experts warn companies to use advanced detection.
More News To Read: