This presentation details the Supershell C2 framework. Threat actors are using this framework massively and creating botnets with the Supershell implants.

Supershell is a relatively new C2 framework with a WEB-based command and control (C2) server written in Python and an administration panel in Chinese language. Throughout the presentation, I will detail the Supershell C2 framework and what a threat actor can achieve using the Supershell C2 and its implants. We will see one of many techniques the threat actors use to deliver the Supershell implants to the victim’s machine and register them to Supershell C2 by establishing the botnet. We also see how widespread the supershell infection is and what countries and business verticals are infected by Supershell. We also share the details of our research approach to finding the active Supershell C2 by pivoting some of the indicators of various attacks we analyzed.

Finally, I will discuss the possible indications of Chinese-speaking threat actors conducting the supershell infections along with the other tools, including reconnaissance, asset management, and cobalt strike beacons.