Global IPv4 Scan Exposes SuperShell and Cobalt Strike: A New Look at Emerging Cyber Threat Infrastructure

By /

Listen to this Post

Featured Image
In a digital world constantly evolving to counteract threats, a recent sweeping scan of the entire public IPv4 space has brought some alarming revelations. Conducted by the cybersecurity team at Hunt, this exploration unearthed a worrying amount of open directories harboring highly sophisticated cyber attack tools. Among the most notable discoveries were payloads tied to SuperShell—a stealthy command-and-control (C2) framework—and a Linux ELF variant of the notorious Cobalt Strike beacon.

The investigation not only highlights how careless or emboldened some threat actors have become, but also reinforces the need for ongoing vigilance, robust reconnaissance, and timely threat intelligence sharing among the cybersecurity community.

A Deep Dive into the Findings: Key Highlights from the IPv4 Scan

In an aggressive yet revealing operation, researchers with the Hunt platform conducted a meticulous scan across the global IPv4 address space. The objective was to find publicly accessible open directories, which often become the unintentional hosts of leaked or intentionally planted cyberweaponry.

Discovery of Dangerous Payloads:

  • Over 41 million files indexed during the scan.
  • Found a server housing malicious files, including payloads associated with SuperShell—a Python-based C2 framework—and a Linux ELF Cobalt Strike beacon.
  • Analysts were initially pursuing IOX, an open-source proxy and port-forwarding tool, when they stumbled upon a directory loaded with threatening binaries.

SuperShell: What It Brings to the Table:

  • Designed with a web-based control panel, SSH-based C2 communication, and cross-platform payload generation.
  • Payloads ps1 and ps2 were UPX-packed 64-bit ELF Go executables—recognized as SuperShell variants (aka GOREVERSE).
  • These backdoors connected to 124.70.143[.]234 via TCP port 3232, implying real-time control capabilities.
  • SuperShell’s admin interface ran on port 8888, confirming active operator engagement.

Beyond SuperShell: The Cobalt Strike Connection:

  • Another executable, labeled test, was found in the same directory.
  • Identified as a Cobalt Strike beacon, it communicated with 8.219.177[.]40 over HTTPS.
  • The malicious server even spoofed a certificate impersonating “jquery.com”.
  • Though the Cobalt Strike server had been shut down by the time of analysis, its presence pointed to a multi-layered attack strategy.

Clues in Infrastructure:

  • Multiple ports were in play, such as 5003, linked to Asset Reconnaissance Lighthouse (ARL)—an aggressive tool used for network mapping and exploitation.
  • Redundancy observed in duplicated payloads (ps1 and ps2) hinted at load balancing or failover systems within attacker infrastructure.

Implications:

  • Demonstrates how attackers blend open-source tools with sophisticated C2 infrastructures.
  • The use of cloud services like Huawei and Alibaba to host these assets complicates attribution and takedown efforts.
  • Emphasizes the power of internet-wide reconnaissance in exposing covert cyber operations.

What Undercode Say:

The revelations from

What stands out in this investigation is not just the presence of malware in the wild, but the sophistication and boldness of the deployment. Open directories—essentially exposed file repositories—are being exploited as free hosting services for powerful C2 frameworks. This isn’t sloppy cybercrime. It’s strategic warfare.

SuperShell, at the core of the discovery, represents a disturbing evolution in attacker tooling. Unlike earlier generation backdoors, SuperShell boasts cross-platform compatibility, a GUI-based management panel, and stealthy communication protocols. Its open-source roots also make it harder to attribute and easier to modify—key features that cybercriminals prize.

The presence of Cobalt Strike, traditionally a red team tool, within the same directory reveals that attackers aren’t just deploying one method—they’re layering multiple stages of intrusion. This tactic aligns with Advanced Persistent Threat (APT) behavior, where initial access is achieved via one tool (e.g., SuperShell), and deeper penetration occurs through a second stage (e.g., Cobalt Strike).

Adding to the concern is the use of cloud infrastructure providers. Hosting C2 servers on platforms like Huawei and Alibaba provides both speed and plausible deniability. It also allows attackers to rapidly scale operations and move infrastructure before detection mechanisms can catch up.

The detection of ARL (Asset Reconnaissance Lighthouse) further indicates a focus not just on compromise, but on strategic exploitation. ARL is used by attackers to scan and enumerate network environments, seeking out weak spots in real time. This isn’t a smash-and-grab operation—it’s reconnaissance-driven warfare.

Another takeaway is the

From a defender’s perspective, this operation is a loud siren: monitor your open directories, conduct regular vulnerability assessments, and participate in information-sharing platforms. What was discovered by accident while scanning for IOX could have easily gone unnoticed for months.

This story is a perfect case study in why cybersecurity can no longer be reactive. Vigilant scanning, proactive hunting, and collective intelligence are now fundamental to defense.

Fact Checker Results:

  • SuperShell payloads were verified through VirusTotal and dynamic analysis.
  • Cobalt Strike server had already been decommissioned, suggesting prior attacker activity.
  • Cloud-hosted infrastructure from Huawei and Alibaba was confirmed through IP tracing.

Would you like me to provide a visual threat map based on the IP addresses and ports mentioned?

References:

Reported By: cyberpress.org
Extra Source Hub:
https://www.medium.com
Wikipedia
Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Explore More: