Alert: SHOE RACK Malware Targeting Fortinet Firewalls via DOH & SSH Protocols, Says NCSC

Security researchers and national cyber defence authorities are raising the alarm over a sophisticated post-exploitation tool named “SHOE RACK,” which is actively targeting Fortinet 100D series firewalls.

The National Cyber Security Centre (NCSC) has released a detailed advisory dated June 18, 2025, noting the malware’s advanced capabilities for remote shell access and TCP tunneling, raising significant concerns for network defenders.

Technical Details: SHOE RACK’s Modus Operandi

Developed in Go 1.18 and often distributed as a UPX-packed executable, SHOE RACK distinguishes itself through its unusual use of the Secure Shell (SSH) protocol for covert command and control (C2) communications.

The malware establishes a connection to a custom SSH server at a hardcoded C2 domain currently identified as phcia.duckdns[.]org.

Once executed on a victim device, SHOE RACK employs DNS-over-HTTPS (DoH) to obscure its C2 server’s actual location.

It selects from a list of legitimate DoH providers such as Google, Cloudflare, NextDNS, Quad9, and OpenDNS to resolve its C2 server’s IP address.

This use of encrypted and reputable DNS services makes detection by traditional network monitoring tools much more challenging.

Malicious actors leveraging SHOE RACK can then establish an encrypted channel with the victim’s system. Notably, the malware advertises itself using a falsified SSH version (“SSH-1.1.3”), likely to bypass basic filtering that might block newer or more common SSH versions.

SHOE RACK enables two main channel types:

• Session: Enables interactive shell access, SFTP file transfers, and execution of one-time commands.
• Jump: A non-standard channel that sets up a “reverse-SSH” tunnel, effectively allowing the remote attacker to act as the SSH server. This feature supports direct TCP tunnelling, enabling attackers to route traffic through the compromised device into internal networks.

Indicators of Compromise and Detection

The NCSC has provided several technical indicators to help organizations identify SHOE RACK infections, including:

• Domain: phcia.duckdns.org:443
• Filename: ldnet (UPX-packed or unpacked)
• YARA Rules: Specific patterns and library function calls, such as “golang.org/x/crypto/ssh.NewClientConn” and “github.com/AdguardTeam/dnsproxy/upstream.AddressToUpstream,” as well as unique byte sequences for mathematical operations.

The malware is believed to be based on publicly available open-source tooling, specifically the “NHAS” reverse SSH implementation in Go, but has been customized for stealth and persistence.

Its use of DNS-over-HTTPS and clever misuse of the SSH protocol present unique challenges for detection and attribution.

Conclusion and Recommendations

While SHOE RACK’s binary is obfuscated using UPX, its network communications are distinct, primarily due to the unusual SSH version fingerprinting.

Organizations running Fortinet firewalls are advised to review access logs and network traffic for unusual SSH connections, especially those identifying as “SSH-1.1.3.”

Security teams should monitor for DoH queries to known C2 domains and apply the NCSC-provided YARA rules for endpoint detection.

This alert underscores the evolving sophistication of cyber threats and the importance of layered defences, ongoing monitoring, and information sharing with national cybersecurity agencies.

All organizations are encouraged to remain vigilant and ensure that their perimeter devices are regularly patched and monitored for signs of compromise.

NCSC’s full report and indicators are available for government and critical infrastructure sectors to bolster their threat intelligence and incident response capabilities.