{
	"id": "a238fd23-7a04-4959-8bf9-c287798988c3",
	"created_at": "2026-04-06T00:10:03.378666Z",
	"updated_at": "2026-04-10T13:11:33.19406Z",
	"deleted_at": null,
	"sha1_hash": "11510643570c429a3619ad574b64ddf0759b03ca",
	"title": "BlueShell: Four Years On, Still A Formidable Threat",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 13104706,
	"plain_text": "BlueShell: Four Years On, Still A Formidable Threat\r\nPublished: 2024-04-09 · Archived: 2026-04-05 17:38:10 UTC\r\nTABLE OF CONTENTS\r\nIntroductionWhat Makes BlueShell Special?BlueShell Servers We're Currently TrackingBrief Analysis: Customized\r\nBlueShellConclusion\r\nIntroduction\r\nPlatforms like GitHub offer a valuable resource for developers and the open-source community. However, these sites also\r\ncreate a potential avenue for threat actors to distribute malicious tools.\r\nThis week, we're turning our attention to BlueShell, an open-source backdoor hosted on GitHub for about four years but still\r\nseeing plenty of use by attackers in 2024. In this post, we'll highlight some recent BlueShell servers and look at an\r\ninteresting ELF binary pulled from a sandbox.\r\nWhat Makes BlueShell Special?\r\nHonestly, not a lot. Written in Golang, the tool allows users to compile client binaries that run on Windows, Linux, and Mac\r\noperating systems. The server communicates with victim systems over TCP sockets and encrypts messages using TLS. The\r\ndefault version of BlueShell includes four features:\r\nShell → Run commands on the victim system\r\nUpload → Upload files\r\nDownload → Download files\r\nSocks → Use a Socks5 proxy (hardcoded credentials: blue/Blue@2020)\r\nhttps://hunt.io/blog/blueshell-four-years-on-still-a-formidable-threat\r\nPage 1 of 10\n\nFigure 1: BlueShell GitHub repository\r\nBlueShell also comes with a TLS certificate. Contrary to common assumptions, attackers frequently utilize these well-known certificates. This approach helps them blend in and potentially deceive defenders.\r\nhttps://hunt.io/blog/blueshell-four-years-on-still-a-formidable-threat\r\nPage 2 of 10\n\nFigure 2: BlueShell default install TLS certificate\r\nFurthermore, switching to a different certificate is an effective strategy for misleading defenders and researchers. Such a\r\nchange can significantly alter the attack's digital footprint, adding a layer of complexity to research and threat intelligence\r\nefforts.\r\nThe server IP address, listening port, and delay interval are hard-coded, constituting the core configuration data for the\r\nattacker-controlled infrastructure. While BlueShell may resemble many open-source frameworks in functionality, albeit with\r\na more streamlined feature set, its unique aspects should not be underestimated. Notably, AhnLab stands as the sole security\r\nvendor to have published reports on incidents involving this backdoor to date.\r\nAccording to insights from AhnLab, the BlueShell backdoor has predominantly targeted organizations within South Korea\r\nand Thailand, spanning various industry verticals. This pattern of targeting aligns with the operational profile of Dalbit, a\r\nthreat group believed to originate from China and the only threat actor publicly associated with the deployment of BlueShell\r\nin an attack campaign.\r\nBlueShell Servers We're Currently Tracking\r\nTracking adversary infrastructure presents formidable challenges. For this post, our focus narrows to Command and Control\r\n(C2) servers utilizing BlueShell's default TLS certificate. Our methodology extends beyond a single IOC; we also consider\r\nunconventional port usage, specifically targeting non-HTTP services, as BlueShell typically operates over TCP sockets.\r\nIn identifying malicious servers, it's crucial to integrate findings with third-party intelligence sources, such as VirusTotal,\r\nand consider factors like the C2 infrastructure's geographic location and service provider.\r\nThe following presents a selection of the servers monitored at Hunt:\r\nhttps://hunt.io/blog/blueshell-four-years-on-still-a-formidable-threat\r\nPage 3 of 10\n\nIP ASN Location C2 Port\r\n8.218.243[.]239 Alibaba (US) Technology Co. Ltd HK 8443\r\n103.140.186[.]8 ESTNOC-Global SG 58091\r\n141.98.212[.]34 ESTNOC-Global HK 58091\r\n204.194.65[.]48 Cloudie HK 8443\r\n39.98.81[.]60 Hangzhou Alibaba Advertising Co., Ltd. CN 8091\r\n39.98.91[.]83 Hangzhou Alibaba Advertising Co., Ltd. CN 8088 8091\r\nTable 1: IPs tracked by Hunt\r\nIt should be noted that attackers can easily modify server ports and certificates. By publication, some or all of the IP\r\naddresses listed could no longer host the indicators we used to locate them.\r\nAn SSL history feature like the one on the Hunt platform (shameless plug) might reveal patterns in how malware campaigns\r\nevolve or how attackers attempt to renew their resources to evade detection.\r\nAs we conclude, I'll briefly cover a customized BlueShell ELF sample, hopefully providing further insight into this threat.\r\nBrief Analysis: Customized BlueShell\r\nOur examination subject is a stripped 64-bit ELF executable with a file size of 7.7 MB. The file communicates with one\r\npreviously mentioned C2, 8.218.243[.]239.\r\nFigure 3: BlueShell sample in VT\r\nhttps://hunt.io/blog/blueshell-four-years-on-still-a-formidable-threat\r\nPage 4 of 10\n\nFigure 4: C2 server in Hunt\r\nFilename UNK/5dc72a9b98b3293f10e294c4fc7a6881776c38e8bf2d8ed6073dea5c773927fd.00_00753000.elf\r\nFile size 7.7 MB\r\nGo\r\nVersion\r\n1.18.9\r\nGo Build\r\nID\r\nB5yLEwnnoNjgqDUlEAGr/be1BqzAQ7idhTJKOBogT/fNaVXhqoIBUKR5w6cBcN/FCIOcnNY1ZV0uPxOTuAN\r\nMD5 7d960f77fda453c8f0c7f6c7448a35b4\r\nSHA1 ee0257a6645aca2232ad270f2c08ac6b1b9cfc68\r\nSHA256 5dc72a9b98b3293f10e294c4fc7a6881776c38e8bf2d8ed6073dea5c773927fd\r\nC2 8.218.243[.]239:8443\r\nTable 2: File details\r\nAn intriguing aspect of this sample is the inclusion of an embedded image. This image shows a woman presenting at a\r\nseminar at Atomy, specifically the China branch. Atomy is a South Korean company specializing in direct selling and\r\nhttps://hunt.io/blog/blueshell-four-years-on-still-a-formidable-threat\r\nPage 5 of 10\n\nnetwork marketing.\r\nThe relevance of this image to the file remains a mystery, as there is no current evidence suggesting Atomy is being directly\r\ntargeted with BlueShell. Including a seemingly unrelated image in the malware raises more questions than answers about the\r\nactor's intentions.\r\nFigure 5: Image found within the executable\r\nThis sample shares many of the same features (besides the image) as the repository code, with a few exceptions. As\r\ndiscussed earlier, BlueShell uses just three parameters (IP, Port, Wait Time) for its configuration. In this case, the actor added\r\na client key (B1ueShe11-client) and a client token (B1uekT0k3n-client), likely used for session management of the\r\napplication.\r\nhttps://hunt.io/blog/blueshell-four-years-on-still-a-formidable-threat\r\nPage 6 of 10\n\nFigure 6: Snippet of BlueShell Configuration Values in Ghidra\r\nFigure 7: BlueShell GitHub source code configuration data\r\nThe actor significantly enhanced BlueShell's capabilities by integrating file server and reverse shell functionality with the\r\ntool's standard features. These augmentations to the backdoor code signify a deliberate move to increase its versatility and\r\neffectiveness in targeted operations.\r\nhttps://hunt.io/blog/blueshell-four-years-on-still-a-formidable-threat\r\nPage 7 of 10\n\nFigure 8: Decompiled code in Ghidra displaying customized features\r\nhttps://hunt.io/blog/blueshell-four-years-on-still-a-formidable-threat\r\nPage 8 of 10\n\nFigure 9: Snippet of standard BlueShell source code\r\nFinally, the file uses a hardcoded password check before starting a service and executing commands specific to system\r\nutilities. If the check fails, the server starts normally without additional operations. The code checks for a string length of 8\r\nand uses the hexadecimal representation of the reverse of the word 'password.'\r\nhttps://hunt.io/blog/blueshell-four-years-on-still-a-formidable-threat\r\nPage 9 of 10\n\nFigure 10: Snippet of decompiled code consisting of a password check\r\nConclusion\r\nIn conclusion, we briefly examined the BlueShell backdoor, a tool that has been around for more than four years and will\r\nlikely be used in the foreseeable future. From the surprising inclusion of an image from an Atomy China seminar to the\r\nadded functionalities of a file server and reverse shell, we identified how attackers are extending open-source projects to\r\nmeet their needs.\r\nApply for an account today to discover more intriguing hosted malware examples, access our near-real-time feed of\r\ncommand-and-control infrastructure data, and use our scanners to look for suspicious IP addresses.\r\nSource: https://hunt.io/blog/blueshell-four-years-on-still-a-formidable-threat\r\nhttps://hunt.io/blog/blueshell-four-years-on-still-a-formidable-threat\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://hunt.io/blog/blueshell-four-years-on-still-a-formidable-threat"
	],
	"report_names": [
		"blueshell-four-years-on-still-a-formidable-threat"
	],
	"threat_actors": [
		{
			"id": "bcf899bb-34bb-43e1-929d-02bc91974f2a",
			"created_at": "2023-02-18T02:04:24.050644Z",
			"updated_at": "2026-04-10T02:00:04.639142Z",
			"deleted_at": null,
			"main_name": "Dalbit",
			"aliases": [],
			"source_name": "ETDA:Dalbit",
			"tools": [
				"ASPXSpy",
				"ASPXTool",
				"Agentemis",
				"AntSword",
				"BadPotato",
				"BlueShell",
				"CHINACHOPPER",
				"China Chopper",
				"Cobalt Strike",
				"CobaltStrike",
				"EFSPotato",
				"FRP",
				"Fast Reverse Proxy",
				"Godzilla",
				"Godzilla Loader",
				"HTran",
				"HUC Packet Transmit Tool",
				"JuicyPotato",
				"LadonGo",
				"Metasploit",
				"Mimikatz",
				"NPS",
				"ProcDump",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"RottenPotato",
				"SinoChopper",
				"SweetPotato",
				"cobeacon",
				"reGeorg"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "7cf4ec85-806f-4fd7-855a-6669ed381bf5",
			"created_at": "2023-11-08T02:00:07.176033Z",
			"updated_at": "2026-04-10T02:00:03.435082Z",
			"deleted_at": null,
			"main_name": "Dalbit",
			"aliases": [],
			"source_name": "MISPGALAXY:Dalbit",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31",
			"created_at": "2023-01-06T13:46:38.376868Z",
			"updated_at": "2026-04-10T02:00:02.949077Z",
			"deleted_at": null,
			"main_name": "Cleaver",
			"aliases": [
				"G0003",
				"Operation Cleaver",
				"Op Cleaver",
				"Tarh Andishan",
				"Alibaba",
				"TG-2889",
				"Cobalt Gypsy"
			],
			"source_name": "MISPGALAXY:Cleaver",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434203,
	"ts_updated_at": 1775826693,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/11510643570c429a3619ad574b64ddf0759b03ca.pdf",
		"text": "https://archive.orkl.eu/11510643570c429a3619ad574b64ddf0759b03ca.txt",
		"img": "https://archive.orkl.eu/11510643570c429a3619ad574b64ddf0759b03ca.jpg"
	}
}