BreakglassIntelligence
Back to reports
criticalAPT

SuperShell C2 Panel at 8[.]216[.]26[.]169:8888

InvestigatedApril 3, 2026PublishedApril 3, 2026
Threat Actors:, online/offline status, session IDProfileAssessment
supershellc2ratcvebotnetalibabatorshodan

TLP: WHITE Date: 2026-04-03 Analyst: GHOST (Breakglass Intelligence) Classification: Cybercrime / Open-Source C2 Framework Abuse Status: LIVE at time of investigation

Executive Summary

A live SuperShell v2.0.0 command-and-control panel was identified at 8[.]216[.]26[.]169:8888, hosted on Alibaba Cloud Singapore (AS45102). SuperShell is a Chinese-language, open-source C2 framework written in Go that leverages RSSH (reverse SSH) for agent management, supporting Windows, Linux, macOS, and Android targets. The panel was confirmed operational with a WebSocket-based RSSH listener on port 3232. Default credentials were not accepted, indicating a minimally configured operator. ThreatFox intelligence reveals this IP is part of a broader ecosystem of 66+ active SuperShell C2 instances globally, with heavy concentration on Chinese cloud infrastructure (Alibaba, Tencent, ChinaTelecom). The framework provides full post-exploitation capabilities including reverse shells, file management, memfd execution (fileless), and multi-platform payload generation.

Key Findings

  • LIVE SuperShell v2.0.0 C2 panel confirmed at hxxp://8[.]216[.]26[.]169:8888/supershell/login
  • RSSH WebSocket listener confirmed on port 3232 (400 Bad Request on /ws = WebSocket upgrade expected)
  • Chinese-language UI throughout (login, all JS function files, error messages)
  • Alibaba Cloud Singapore hosting (AS45102, ASEPL-SG, abuse@alibaba-inc.com)
  • 66 unique SuperShell C2 IPs identified via ThreatFox, heavily weighted toward Chinese cloud providers
  • Multi-platform targeting: Windows, Linux, macOS (darwin), Android support confirmed via client.js
  • Operator capabilities: reverse shell, file upload/download, memfd fileless execution, session management, payload generation, group-based victim organization
  • First seen on ThreatFox: 2026-03-26 (our target IP), ecosystem active since at least 2026-01-15
  • No default credentials accepted (24 combinations tested against /supershell/login/auth)
  • Only 2 ports exposed: SSH (22, OpenSSH 9.6p1 Ubuntu) and SuperShell (8888, nginx 1.18.0 reverse proxy)
  • OpenSSH version reveals Ubuntu 24.04 LTS (Noble Numbat) -- 9.6p1-3ubuntu13.15

Infrastructure Analysis

Target Host Profile

AttributeValue
IP Address8[.]216[.]26[.]169
ASNAS45102 (Alibaba / CNNIC)
ProviderAlibaba Cloud (Singapore) Private Limited
Abuse Contactabuse@alibaba-inc.com
OSUbuntu 24.04 LTS (Noble Numbat)
SSHOpenSSH 9.6p1 Ubuntu-3ubuntu13.15
Web Servernginx 1.18.0 (reverse proxy to SuperShell Go backend)
C2 PanelSuperShell v2.0.0 at :8888
RSSH ListenerPort 3232 (WebSocket)
PTR RecordNone
HostnamesNone

Port Summary

PortServicePurpose
22/tcpOpenSSH 9.6p1Operator SSH access
3232/tcpnginx (WebSocket)RSSH reverse tunnel listener (agent callbacks)
8888/tcpnginx 1.18.0 -> SuperShell GoC2 management panel

Shodan InternetDB Vulnerabilities (Host)

  • CVE-2021-3618 (ALPACA - TLS cross-protocol attack)
  • CVE-2021-23017 (nginx DNS resolver vulnerability)
  • CVE-2023-44487 (HTTP/2 Rapid Reset)
  • CVE-2025-23419 (nginx TLS session ticket reuse)

Adjacent IP Analysis

No related SuperShell infrastructure found in the /24. Adjacent IPs (.166-.171) are either unresponsive or have only SSH exposed. The operator is using a single cloud VPS, not a dedicated block.

ThreatFox Intelligence

This IP has 2 ThreatFox entries:

  1. ID 1776941: 8[.]216[.]26[.]169:8888 -- botnet_cc -- First seen 2026-03-26 -- Reporter: DonPasci
  2. ID 1779694: hxxp://8[.]216[.]26[.]169:8888/supershell/login/ -- botnet_cc -- First seen 2026-03-31 -- Reporter: antiphishorg

SuperShell Framework Analysis

What Is SuperShell?

SuperShell (github.com/tdragon6/Supershell) is an open-source, Chinese-developed C2 framework written in Go with the following architecture:

  • Frontend: Tabler CSS framework, jQuery, toastr notifications
  • Backend: Go HTTP server behind nginx reverse proxy
  • Agent Protocol: RSSH (reverse SSH over WebSocket) for persistent backdoor access
  • Capabilities: Multi-platform payload generation (Windows PE, Linux ELF, macOS Mach-O, Android)

Discovered API Surface (from JS analysis)

Authentication:

  • POST /supershell/login/auth -- Login endpoint (JSON: username, password)

Monitor Dashboard (authenticated):

  • POST /supershell/monitor/status -- RSSH connection status
  • POST /supershell/monitor/clients -- Client count (all + online)
  • POST /supershell/monitor/compiled -- Generated payload count/size
  • POST /supershell/monitor/server -- Server files count/size
  • POST /supershell/monitor/log -- Log size
  • POST /supershell/monitor/rssh -- RSSH version and connection count
  • POST /supershell/monitor/version -- SuperShell version info
  • POST /supershell/monitor/time -- Uptime

Client/Victim Management (authenticated):

  • GET /supershell/client -- Client list page
  • Client fields: OS (windows/linux/darwin/android), country attribution, online/offline status, session ID
  • Session operations: info, shell, files, memfd, advanced

Session Operations (authenticated):

  • GET /supershell/session/info?arg={sessid} -- Session details
  • GET /supershell/session/shell?arg={sessid} -- Interactive shell
  • GET /supershell/session/files?arg={sessid} -- File browser
  • GET /supershell/session/memfd?arg={sessid} -- Fileless execution (memfd_create)
  • GET /supershell/session/advanced?arg={sessid} -- Advanced operations

Settings (authenticated):

  • POST /supershell/setting/update/download/chunk -- Download chunk size
  • POST /supershell/setting/update/upload/size -- Max upload size
  • POST /supershell/setting/recovery -- Reset to defaults
  • POST /supershell/setting/clear/groupmark/useless -- Clean unused group markings

Capability Assessment

CapabilityEvidence
Multi-platform agentsOS detection for windows/linux/darwin/android in client.js
Reverse shell/session/shell endpoint, RSSH WebSocket on :3232
File management/session/files endpoint, upload/download chunk configuration
Fileless execution/session/memfd endpoint (Linux memfd_create syscall)
Payload generation/supershell/monitor/compiled tracks generated payloads
Victim attributionCountry flag rendering via get_attribution_html()
Group managementGroup marking system with cleanup function
Session persistenceOnline/offline tracking, disconnect vs delete operations

Global SuperShell C2 Ecosystem

Scale

ThreatFox tracks 66 unique SuperShell C2 instances across the following infrastructure:

Top Hosting Providers (by IP count)

ProviderASNCountNotes
Alibaba CloudAS45102, AS3796310Singapore + mainland China allocations
CTG Server LimitedAS1521945Hong Kong-based, 3 IPs in same /24 (143.92.60.x)
ChinaTelecomAS1361884Zhejiang/Ningbo IDC
ABC Cloud SDN BHDAS1399233Malaysia-based, 3 IPs in same /24 (102.204.223.x)
G-Core Labs (GHOST AS)AS2024223Luxembourg/Netherlands
Vultr/Constant CompanyAS204732US-based VPS
Tencent CloudAS45090, AS1322032China mainland
KAOPU-HKAS1389152Hong Kong
Amazon AWSAS165092Japan (ap-northeast-1)
ColoCrossingAS363522US-based budget hosting

Geographic Distribution

The SuperShell ecosystem is overwhelmingly China-nexus:

  • China-based providers: ~60% of all instances (Alibaba, Tencent, ChinaTelecom, ChinaNet)
  • China-adjacent providers: ~20% (HK, SG, MY cloud providers popular with Chinese operators)
  • Western providers: ~20% (AWS, Vultr, Contabo, G-Core, Hostinger)

Clustering Indicators

Three notable clusters suggest coordinated or shared infrastructure:

  1. 143.92.60.13/24/26 (CTG Server) -- 3 IPs in same /24, first seen Feb 21-22
  2. 102.204.223.152/155/168 (ABC Cloud) -- 3 IPs in same /24, first seen Feb 1-3
  3. 89.223.95.83/97/104 (G-Core GHOST) -- 3 IPs in same /24, first seen Jan 19-31

Threat Actor Profile

Attribution Assessment

  • Confidence: MEDIUM
  • Origin: China (Chinese-language C2 framework, Chinese cloud infrastructure preference)
  • Motivation: Unknown -- SuperShell is a general-purpose C2 used by multiple operators
  • Sophistication: LOW-MEDIUM (using open-source framework as-is, default port 8888, no domain, no TLS on C2 panel, no CDN/proxy obfuscation)
  • OPSEC Failures:
    • No domain name (direct IP access)
    • No TLS encryption on C2 panel (HTTP only on :8888)
    • Default SuperShell port (8888)
    • Login page leaks version (v2.0.0)
    • Static JS files expose full API surface and capability set
    • Alibaba Cloud hosting with traceable abuse contact

MITRE ATT&CK Mapping

TacticTechniqueIDApplication
Command and ControlApplication Layer Protocol: Web ProtocolsT1071.001HTTP-based C2 panel
Command and ControlProxy: Multi-hop ProxyT1090.003RSSH reverse tunnel over WebSocket
ExecutionCommand and Scripting InterpreterT1059Interactive reverse shell
Defense EvasionReflective Code LoadingT1620memfd_create fileless execution
ExfiltrationExfiltration Over C2 ChannelT1041File download via RSSH tunnel
Resource DevelopmentAcquire Infrastructure: Virtual Private ServerT1583.003Alibaba Cloud VPS
Resource DevelopmentDevelop Capabilities: MalwareT1587.001SuperShell payload generation

IOC Summary

Network Indicators (Primary Target)

TypeValueContext
IP:Port8[.]216[.]26[.]169:8888SuperShell C2 panel
IP:Port8[.]216[.]26[.]169:3232RSSH WebSocket listener
URLhxxp://8[.]216[.]26[.]169:8888/supershell/loginC2 login page
URLhxxp://8[.]216[.]26[.]169:8888/supershell/login/authAuthentication API
IP:PortASNProviderFirst Seen
167[.]179[.]66[.]31:8888AS20473Vultr2026-03-29
45[.]205[.]2[.]53:8888AS40065CNSERVERS2026-03-29
8[.]217[.]174[.]149:8888AS45102Alibaba2026-03-27
168[.]93[.]224[.]183:8888AS4766Korea Telecom2026-03-26
222[.]190[.]151[.]53:8888AS4134ChinaNet2026-03-26
185[.]196[.]9[.]3:8888AS42624Swiss Network2026-03-24
107[.]148[.]2[.]52:3350AS398993PEG-TY2026-03-21
148[.]135[.]76[.]20:8888AS35916MULTA2026-03-21
43[.]112[.]66[.]41:8888AS45102Alibaba2026-03-19
38[.]54[.]40[.]38:8888AS138915KAOPU-HK2026-03-16

Behavioral Indicators

TypeValueContext
HTTP TitleSupershell - 登录Chinese login page title
URL Path/supershell/loginDefault SuperShell login path
URL Path/supershell/login/authAuthentication API endpoint
URL Path/supershell/monitorDashboard (post-auth)
URL Path/supershell/clientVictim list (post-auth)
URL Path/supershell/session/{type}?arg={id}Session management
Default Port8888Most common SuperShell port
JS Files/static/js/func/*.jsFramework function files
Logo/static/img/logo.svgSuperShell branding
WebSocketPort 3232 /wsRSSH reverse tunnel

YARA Rules

See yara_rules/supershell_c2.yar

Suricata Rules

See suricata_rules.rules

Immediate (24-48 hours)

  • Block 8[.]216[.]26[.]169 at perimeter firewall (all ports)
  • Search proxy/firewall logs for connections to :8888 and :3232 on this IP
  • Hunt for the 66 SuperShell IPs listed in ThreatFox across network telemetry
  • Alert on HTTP traffic containing "/supershell/" in URI path

Short-term (1-2 weeks)

  • Deploy Suricata rules for SuperShell detection
  • Monitor for RSSH WebSocket connections on non-standard ports
  • Submit samples to sandboxes if SuperShell payloads are found on endpoints

Medium-term (1-3 months)

  • Develop hunting queries for memfd_create abuse (fileless execution on Linux)
  • Monitor ThreatFox SuperShell tag for new infrastructure
  • Consider proactive scanning for SuperShell login pages on Alibaba/Tencent IP ranges

Abuse Reports

Alibaba Cloud

  • To: abuse@alibaba-inc.com
  • Subject: Active C2 Server on Alibaba Cloud -- 8.216.26.169
  • Evidence: SuperShell C2 panel at :8888, RSSH listener at :3232, ThreatFox entries

References

Share