HOMETHREATSHorse Shell
APT / THREAT GROUP

Horse Shell

2
aliases
Last seen:Mar 17, 2026

Intelligence Profile

Checkpoint Research describes this as part of a custom firmware image affiliated with the Chinese state-sponsored actor “Camaro Dragon”, a custom MIPS32 ELF implant. HorseShell, the main implant inserted into the modified firmware by the attackers, provides the attacker with 3 main functionalities:

* Remote shell: Execution of arbitrary shell commands on the infected router

* File transfer: Upload and download files to and from the infected router.

* SOCKS tunneling: Relay communication between different clients.

Threat Analysis

Horse Shell is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

External References

Quick Facts

TypeAPT / Threat Group
Aliases2

Also Known As

elf.horseshellHorse Shell

External Intelligence

Malpedia: elf.horseshell

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.