SHOE RACK is a sophisticated malware developed in Go 1.18, designed for post-exploitation activities. It connects to a custom SSH server at a hardcoded C2 URL, enabling remote interaction with the victim device. The malware utilizes DNS-over-HTTPS to locate its C2 server's IP address and has been observed targeting FortiGate 100D series firewalls. SHOE RACK supports various channel types, including 'session' and a non-standard 'jump' type, allowing for reverse-SSH tunneling. It also offers TCP tunneling capabilities, enabling actors to pivot into LAN networks after compromising perimeter devices. While some operational security measures are implemented, the malware's network communications are distinctive due to its impersonation of an outdated SSH version.