||APT28 has used a modified and obfuscated version of the reGeorg web shell to maintain persistence on a target’s Outlook Web Access (OWA) server.
||APT29 has installed web shells on exploited Microsoft Exchange servers.
||APT32 has used Web shells to maintain access to victim websites.
||APT38 has used web shells for persistence or to ensure redundant access.
||APT39 has installed ANTAK and ASPXSPY web shells.
||ASPXSpy is a Web shell. The ASPXTool version used by Threat Group-3390 has been deployed to accessible servers running Internet Information Services (IIS).
||BackdoorDiplomacy has used web shells to establish an initial foothold and for lateral movement within a victim’s system.
||During C0017, APT41 deployed JScript web shells through the creation of malicious ViewState objects.
||China Chopper‘s server component is a Web Shell payload.
||Deep Panda uses Web shells on publicly accessible Web servers to access victim networks.
||Dragonfly has commonly created Web shells on victims’ publicly accessible email and web servers, which they used to maintain access to a victim network and download additional malicious files.
||Fox Kitten has installed web shells on compromised hosts to maintain access.
||GALLIUM used Web shells to persist in victim environments and assist in execution and exfiltration.
||HAFNIUM has deployed multiple web shells on compromised servers including SIMPLESEESHARP, SPORTSBALL, China Chopper, and ASPXSpy.
||Kimsuky has used modified versions of open source PHP web shells to maintain access, often adding “Dinosaur” references within the code.
||Leviathan relies on web shells for an initial foothold as well as persistence into the victim’s systems.
||Magic Hound has used multiple web shells to gain execution.
||Moses Staff has dropped a web shell onto a compromised system.
||OilRig has used web shells, often to maintain access to a victim network.
||During Operation CuckooBees, the threat actors generated a web shell within a vulnerable Enterprise Resource Planning Web Application Server as a persistence mechanism.
||During Operation Wocao, threat actors used their own web shells, as well as those previously placed on target systems by other threat actors, for reconnaissance and lateral movement.
||OwaAuth is a Web shell that appears to be exclusively used by Threat Group-3390. It is installed as an ISAPI filter on Exchange servers and shares characteristics with the China Chopper Web shell.
||P.A.S. Webshell can gain remote access and execution on target web servers.
||Sandworm Team has used webshells including P.A.S. Webshell to maintain access to victim networks.
||SEASHARPEE is a Web shell.
||SUPERNOVA is a Web shell.
||TEMP.Veles has planted Web shells on Outlook Exchange servers.
||Threat Group-3390 has used a variety of Web shells.
||Tonto Team has used a first stage web shell after compromising a vulnerable Exchange server.
||Tropic Trooper has started a web service in the target host and wait for the adversary to connect, acting as a web shell.
||Volatile Cedar can inject web shell code into a server.