Forescout Vedere Labs linked some of the ongoing attacks to a suspected Chinese threat actor they track as Chaya_004. The threat actor uses malicious infrastructure that includes "a network of servers hosting Supershell backdoors..."
SuperShell
SuperShell is an open-source command-and-control framework and backdoor, commonly described as a Go-based reverse shell that has been used to remotely control compromised systems and execute arbitrary commands.
Profile source: Mallory opens in a new tabSuperShell
Family profile
SuperShell is an open-source command-and-control framework and backdoor, commonly described as a Go-based reverse shell that has been used to remotely control compromised systems and execute arbitrary commands. The content states it targets Linux SSH servers in particular, while supporting cross-platform operation on Linux, Windows, and Android. It is described as establishing a reverse SSH shell over web services, and exposed infrastructure has been identified via fingerprints such as HTML title "Supershell" and favicon hash -1010228102.
Observed infection vectors include brute-force and dictionary attacks against weak SSH credentials on Linux SSH servers, followed by download-and-execute chains using wget, curl, tftp, FTP, or shell scripts. Installation has been observed in directories such as /tmp, /var/run, /mnt, and /root, sometimes with cleanup commands to remove traces. SuperShell has also been deployed after exploitation of public-facing vulnerabilities, including CVE-2023-46747 on F5 BIG-IP devices, CVE-2024-1709 in ConnectWise ScreenConnect, CVE-2025-31324 in SAP NetWeaver, and CVE-2025-8110 in Gogs. In the Gogs exploitation campaign, attackers created repositories with random 8-character names and deployed a payload using the SuperShell framework; infected systems communicated with attacker-controlled infrastructure including 119.45.176[.]196, and payload servers included 106.53.108[.]81 and 119.91.42[.]53.
The malware has been repeatedly associated in the content with China-linked activity. AhnLab reported it was created by a Chinese-speaking developer. Mandiant assessed with moderate confidence that the combination of custom tooling and SUPERSHELL was unique to the PRC-linked actor UNC5174, which exploited F5 BIG-IP and ScreenConnect vulnerabilities and targeted U.S. and UK government, defense, research and education, NGOs, Hong Kong businesses, and institutions in Asia. Forescout-linked reporting associated infrastructure hosting Supershell backdoors with suspected Chinese actor Chaya_004. Cisco Talos reporting noted infrastructure overlap where hosts using a Bulbature certificate were also associated with SuperShell, GobRAT, and Cobalt Strike, all described as commonly associated with China-nexus actors. Additional reporting cited SuperShell use in campaigns targeting Windows and Linux servers in South Korea, and its appearance in broader exploitation waves such as React2Shell-related intrusions.
SuperShell has also been observed alongside additional payloads, especially XMRig Monero miners, indicating both persistence and cryptocurrency-mining objectives in some Linux SSH server compromises. Reported indicators include sample hashes such as ssh1.sh (157bea84012ca8b8dc6c0eabf80db1f0256eafccf4047d3e4e90c50ed42e69ff), setup c3pool miner.sh (23dbfb99fc6c4fcfc279100c4b6481a7fd3f0b061b8d915604efa2ba37c8ddfa), ssh1 (cf5a7b7c71564a5eef77cc5297b9ffd6cd021eb44c0901ea3957cb2397b43e15), and MD5s 4ee4f1e7456bb2b3d13e93797b9efbd3, 5ab6e938028e6e9766aa7574928eb062, and e06a1ba2f45ba46b892bef017113af09. Additional infrastructure and related indicators mentioned in the content include 47.97.42[.]177, 45.15.143.197, and attack-source IPs 209.141.60.249, 179.61.253.67, 107.189.8.15, and 2.58.84.90.
Reported operators
Threat actors
2 named in public reporting"This mix of custom tooling and the SUPERSHELL framework leveraged in these incidents is assessed with moderate confidence to be unique to a People's Republic of China (PRC) threat actor, UNC5174."
Exploited software
Vulnerabilities linked to SuperShell
7 CVEsMITRE ATT&CK
SuperShell in ATT&CK
20 distinct techniquesTechniques
20 techniquesReporting
Research mentioning SuperShell
Block One ASN, Kill Sixteen Malware Families: Mapping OMEGATECH, a Three-Month-Old Bulletproof Hosting Network Running 67 C2 Servers on a Single Subnet - Breakglass Intelligence - Breakglass Intelligence
ThreatFox data reveals the concentration of malicious infrastructure on this single block: Family ThreatFox Sightings Type ... SuperShell — C2 framework
AI Development & Software Engineering | CloudATG
"Chinese Hackers Exploit SAP RCE Flaw CVE-2025-31324, Deploy Golang-Based SuperShell"
UAT-7290 targets high value telecommunications infrastructure in South Asia
On Virus Total, many of the IPs identified hosting this certificate are associated with other malware typically associated with China-nexus of threat actors such as SuperShell, GobRAT, Cobalt Strike, etc.
New China-linked hackers breach telcos using edge device exploits
The Bulbature TLS certificate, which is the same as the one Sekoia documented previously, is found on 141 China- and Hong Kong-based hosts, whose IPs have been associated with other malware families such as SuperShell, GobRAT, and Cobalt Strike beacons.
🎓️ Vulnerable U | #146
The attackers are using Supershell malware and leaving behind repos with random 8-character names as their calling card.
Gogs 0-Day Vulnerability Exploited in the Wild to Hack 700+ Instances
The payload delivered is Supershell, an open-source Command and Control (C2) framework written in Go. The malware was heavily obfuscated with UPX packing and the garble tool, which encrypts string literals and randomizes class names, complicating reverse engineering. Supershell establishes a reverse SSH shell via web services, granting the attacker persistent remote access.
Critical Gogs zero-day under attack, 700 servers hacked
Wiz discovered that attackers deployed malware built with Supershell, an open-source C2 framework that creates reverse SSH shells via web services. The infected systems communicated with a C2 server at 119.45.176[.]196.
Unpatched Gogs Zero-Day Exploited Across 700+ Instances Amid Active Attacks
As for the malware deployed in the activity, it's assessed to be a payload based on Supershell, an open-source command-and-control (C2) framework often used by Chinese hacking groups that can establish a reverse SSH shell to an attacker-controlled server ("119.45.176[.]196").