All news with #web shell tag

🔔 Talos reports active, in-the-wild exploitation of multiple Cisco Catalyst SD‑WAN vulnerabilities, including CVE-2026-20182 and a chained set (CVE-2026-20133, CVE-2026-20128, CVE-2026-20122) that enable unauthorized access, persistent webshell deployment, and privilege escalation. The threat cluster UAT-8616 and other adversaries have deployed JSP webshells such as XenShell, Godzilla, and Behinder and have installed miners, C2 implants, and reconnaissance and tunneling tools post-compromise. Customers should urgently apply Cisco updates, follow Talos detection guidance and Snort/ClamAV signatures, and engage TAC for incident support and remediation.

🔒 A recently disclosed cPanel vulnerability, tracked as CVE-2026-41940, is being exploited at scale to deploy backdoors, plant SSH keys, steal credentials, and compromise hosting systems. Researchers at XLab link much of the activity to a long-running group called Mr_Rot13, with automated scans from over 2,000 attacker IPs observed after the late-April disclosure. The incident highlights weak visibility into hosting control planes and urges organizations to treat exposed control panels as high-priority incidents: patch immediately, rotate credentials, hunt for webshells, and review logs for persistence.

🔒 Trend Micro disclosed a China-aligned espionage campaign tracked as SHADOW-EARTH-053 that exploited N-day flaws in internet-facing Microsoft Exchange and IIS servers to deploy web shells (including Godzilla) and persistently stage the ShadowPad backdoor via DLL sideloading and AnyDesk. Targets spanned Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, Taiwan and one NATO member, Poland. Citizen Lab separately reported two phishing clusters, GLITTER CARP and SEQUIN CARP, impersonating journalists and tech/security alerts to harvest credentials and OAuth tokens. Researchers recommend urgent patching, virtual patching with WAF/IPS, and heightened monitoring for tunneling tools, web shells, and lateral-movement artifacts.

🛡️ The Quick Page/Post Redirect WordPress plugin, installed on more than 70,000 sites, contained a hidden backdoor introduced through a malicious self-update mechanism in versions 5.2.1 and 5.2.2. Researcher Austin Ginder discovered the issue after multiple infections on his Anchor hosting fleet led to a security alert; WordPress.org has temporarily pulled the plugin pending review. A tampered 5.2.3 build, delivered from an external anadnet[.]com server, added a passive backdoor that only triggers for logged-out users and appears to have been used for cloaked SEO spam. Impacted sites should uninstall the plugin and replace it with a clean copy of version 5.2.4 from WordPress.org when it is available.

🍪 Microsoft Defender Security Research Team warns that threat actors are increasingly using HTTP cookies as a covert control channel for PHP-based web shells on Linux servers. Instead of passing commands via URL parameters or request bodies, attackers gate execution and convey instructions through values accessible in the PHP $_COOKIE superglobal. This technique keeps malicious code dormant during normal application activity and activates only when specific cookie values are present, reducing observable indicators. Microsoft observed multiple obfuscated loaders and a cron-driven 'self-healing' persistence model that recreates loaders and minimizes forensic visibility.

🔒 Threat actors are increasingly abusing HTTP cookies as a stealthy control channel for PHP webshells on Linux hosting platforms. By gating execution on specific cookie values, attackers keep loaders dormant during normal traffic and activate functionality only when exact cookie conditions are met. Variants range from multi-stage loaders that reconstruct functions at runtime to single-file interactive shells, often using base64 reconstruction and layered obfuscation to evade detection. Review Microsoft Defender guidance to detect, hunt, and mitigate these threats.

🛡️ Unit 42 details CL-UNK-1068, a cluster observed since 2020 that targets aviation, energy, government, law enforcement, pharmaceutical, technology and telecommunications organizations across South, Southeast and East Asia. The actor deploys web shells (GodZilla, an AntSword variant), performs DLL side-loading with legitimate python binaries, and uses custom scanners and tunneling tools such as FRP. Exfiltration focuses on web configuration files, databases and credentials; defenders should prioritize detections for behavioral anomalies over static IOCs.

⚠ The Shadowserver Foundation reports that more than 900 FreePBX instances remain infected with web shells after exploitation of the CVE-2025-64328 post-auth command injection flaw. The vulnerability (CVSS 8.6) affects versions >=17.0.2.36 and was fixed in 17.0.3; recommended mitigations include restricting access to the Administration Control Panel, updating the filestore module, and applying available updates. Fortinet links active exploitation since December 2025 to the INJ3CTOR3 actor delivering an EncystPHP web shell that enables arbitrary shell execution as the asterisk user and can initiate outbound call activity via compromised PBX instances.

🔒 Palo Alto Networks Unit 42 reports active exploitation of a critical sanitization bug in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA), tracked as CVE-2026-1731 (CVSS 9.9), that allows OS command execution via the thin-scc-wrapper WebSocket interface. Threat actors have used the flaw for reconnaissance, deploying web shells and backdoors (including VShell and Spark RAT), lateral movement, and data theft. Multiple sectors across several countries are affected, and CISA has added the vulnerability to its Known Exploited Vulnerabilities catalog.

🔍 GreyNoise attributes 83% of exploitation attempts against Ivanti Endpoint Manager Mobile (EPMM) to a single IP hosted on PROSPERO bulletproof infrastructure. Between Feb 1–9, 2026 it recorded 417 sessions from eight source IPs, with 346 sessions from 193.24.123[.]42. Activity targeted CVE-2026-1281 (CVSS 9.8), showed automated tooling patterns and DNS OAST callbacks, and involved rotation through 300+ user-agent strings. Defused Cyber also reported a dormant "/mifs/403.jsp" sleeper shell deployed to some EPMM instances.

🛡️ CrowdStrike's Falcon Linux sensor now offers enhanced visibility and detection for PHP web shells, improving discovery of both pre-existing and obfuscated variants. The On write script file visibility capability captures script content and context as files are written, while Enhance PHP visibility surfaces dynamically evaluated PHP (eval/assert/create_function) as PhpEvalString events. These features have already supported OverWatch in identifying hundreds of web shells and provide richer telemetry for faster investigations and hunting.

🔍 Cisco Talos has uncovered a late-2025 to early-2026 campaign by a China-linked actor tracked as UAT-8099 targeting vulnerable IIS servers across Asia, notably Thailand and Vietnam. The actor uses web shells, PowerShell, and red-team utilities to deploy GotoHTTP and maintain persistence via hidden accounts. Infections deliver the BadIIS SEO-fraud malware family, hijacking crawlers and injecting malicious redirects to manipulate search rankings.

🔍 Cisco Talos has identified a UAT-8099 campaign active from August 2025 through early 2026 that targets vulnerable IIS servers across Asia, concentrating on victims in Thailand and Vietnam. The actor uses web shells, PowerShell, and the GotoHTTP remote-control tool to maintain access and deploy region-customized BadIIS variants that hardcode country codes and inject SEO-fraud content. New persistence mechanisms, hidden accounts, and log-wiping utilities support long-term stealth and evasion.

🛡️ FortiGuard Labs discovered EncystPHP, a sophisticated PHP web shell exploiting FreePBX via CVE-2025-64328. The campaign, linked to activity attributed to INJ3CTOR3, deploys droppers that create root accounts, inject SSH keys, alter cron jobs for persistence, and remove competing shells. Infected hosts enable remote command execution and abuse of PBX telephony resources. Fortinet offers detections and IPS coverage to mitigate the threat.

🔐 A new wave of GoBruteforcer botnet attacks is targeting exposed FTP, MySQL, PostgreSQL and phpMyAdmin services used by cryptocurrency and blockchain projects. Check Point reports the Golang-based botnet brute-forces weak or default credentials—often from servers deployed with AI-generated configuration snippets—and then deploys web shells and downloader stages. The malware scans random public IPv4s, spawning up to 95 threads while skipping private, AWS, and U.S. government ranges. Administrators are advised to remove defaults, audit exposed services, and replace outdated stacks like XAMPP.

🛡️ Check Point Research links a sustained espionage campaign to the China-aligned cluster known as Ink Dragon (also tracked as Jewelbug, CL-STA-0049, Earth Alux/REF7707) that has targeted government and telecommunications organisations across Europe, Asia and Africa since at least March 2023. The actor exploits exposed web applications and predictable ASP.NET machine keys to drop web shells and install a custom ShadowPad IIS Listener, turning compromised servers into resilient C2 relays. Operators deploy a modular backdoor FINALDRAFT (aka Squidoor), alongside NANOREMOTE, loaders and tooling such as VARGEIT and Cobalt Strike to enable stealthy lateral movement, credential theft and high-throughput exfiltration.

🔒 Threat actors are exploiting a command injection vulnerability in Array Networks ArrayOS AG VPN appliances to plant PHP webshells and create rogue user accounts. The flaw affects ArrayOS AG 9.4.5.8 and earlier when the DesktopDirect feature is enabled; Array issued a May update (9.4.5.9) to address the issue. Japan's CERT (JPCERT/CC) reports attacks since at least August originating from IP 194.233.100[.]138. If immediate patching is not possible, disable DesktopDirect or block URLs containing a semicolon as a temporary mitigation.

🔍 Huntress observed the return of GootLoader infections beginning October 27, 2025, with two cases leading to hands-on keyboard intrusions and domain controller compromise within 17 hours. The loader now embeds a custom WOFF2 font using Z85 encoding to substitute glyphs and render obfuscated filenames readable only in the victim browser. Actors deliver XOR-encrypted ZIPs via compromised WordPress comment endpoints and SEO-poisoned search results, and the archive is crafted to appear as benign text to many automated analysis tools while extracting a JavaScript payload on Windows.

🔍 Symantec and Carbon Black attributed a mid‑April 2025 intrusion to a China-linked threat cluster that targeted a U.S. nonprofit engaged in influencing policy, using mass scanning and multiple legacy exploits (including CVE-2021-44228, CVE-2017-9805, and Atlassian flaws) to gain initial access. The intruders established stealthy persistence via scheduled tasks that invoked legitimate binaries (msbuild.exe, csc.exe), injected code to reach a C2 at 38.180.83[.]166, and sideloaded a DLL through a Vipre component to run an in-memory RAT. Researchers linked the loader to China-aligned clusters such as Salt Typhoon and warned of broader reuse of legacy vulnerabilities and IIS/ASP.NET misconfigurations for long-term backdoors.

🔴 Symantec and Carbon Black reported a Russian-origin campaign that targeted a large business services firm and a local government entity in Ukraine, relying on web shells and living-off-the-land techniques to reduce detection. Early activity began on June 27, 2025 with deployment of the LocalOlive web shell, PowerShell exclusions, scheduled memory dumps and credential-theft attempts. Operators used dual-use tools (OpenSSH, RDP changes, winbox64.exe), PowerShell backdoors and native Windows utilities to maintain persistence while minimizing custom malware use. Researchers noted strong Windows tradecraft but could not conclusively attribute the intrusions to a named Russian group.