Category: Uncategorized

Webshells remain a popular method for attackers to maintain persistence on a compromised web server. Many “arbitrary file write” and “remote code execution” vulnerabilities are used to drop small files on systems for later execution of additional payloads. The names of these files keep changing and are often chosen to “fit in” with other files. Webshells themselves are also often used by parasitic attacks to compromise a server. Sadly (?), attackers are not always selecting good passwords either. In some cases, webshells come with pre-set backdoor credentials, which may be overlooked by a less sophisticated attacker. 

I noticed first requests for a particular URL: /turkshell.php . This URL is linked to a well-known webshell. On this particular day, only four IPs were scanned for it:

20.48.232.178, 20.215.65.23, 51.12.84.116, 51.103.130.249

It is a little bit odd, but all four appear to be assigned to Microsoft. There may be an attacker targeting systems inside Microsoft’s cloud environment. Or all four are used by the same (compromised?) organization.

Next, I queried our database to see which other URLs these IP addresses probed, and ended up with 287(!) hits. Here are the top 10:

 

URL	Count
/wp-content/	45
/ms-edit.php	44
/fe5.php	43
/wp-content/admin.php	39
/av.php	36
/wp-content/plugins/hellopress/wp_filemanager.php	27
/wp-content/themes/index.php	23
/k.php	23
/goods.php	23
/222.php	23

One common theme was the use of the prefix “wp-“, likely to better fit in on WordPress sites. The scans also included “non-webshell” URLs like “/wp-content/plugins/hellopress/wp_filemanager.php,” which may be useful for fingerprinting the site or may be vulnerable to being used as or deployed as webshells.

What should you do to protect yourself from webshells?

1. Don’t have any remote code execution or file upload vulnerabilities (yes… easy to say)
2. Restrict permissions to not allow file uploads to your document root (sadly, in particular CMSs like WordPress sometimes have to be able to do so)
3. Monitor the file system for changes

What does not work (or not work very well): Scanning for specific filenames. The 287 files these four IPs looked for make a rather incomplete list. I will add it below, but please don’t consider it complete. I am not even sure it is worth the effort to scan for these specific filenames. You may also get some false positives. Not every item on this list is a webshell, and some sites may use identical filenames for regular content.

/.mopj.php

/.tmb/8.php

/.tmb/a5.php

/.tmb/nano.php

/.well-known/

/.well-known/7.php

/.well-known/8.php

/.well-known/a5.php

/.well-known/f35.php

/.well-known/simple.php

/.yuf.php

//a1.php

//aa.php

//about.php

//admin.php

//admina.php

//adminfuns.php

//av.php

//cacheee.php

//cgi-bin/index.php

//edit.php

//f6.php

//fetch.php

//inputs.php

//wp-content/admin.php

//wp-content/uploads/2021/02/index.php

//wp-includes/css/dist/

//wp-includes/css/index.php

//wp-includes/js/jquery/

//wp-includes/l10n/

//wp-mter.php

//xwpg.php

/1.php

/10.php

/100.php

/111.php

/1111.php

/1111.php?p=

/13.php

/133927/8.php

/19.php

/2.php

/2026w.php

/222.php

/2e754/a5.php

/3.php

/4.php

/403.php

/404.php

/5.php

/6.php

/66.php

/7.php

/8.php

/9.php

/a1.php

/a2.php

/a5.php

/aa.php

/aaa.php

/aaa.php?p=

/abc.php

/abcd.php

/about.php

/about2.php

/acp.php

/admin.php

/admin.php.

/admin/controller/extension/extension/ultra.php

/adminfuns.php

/administrator/7.php

/alfa.php

/alfashell.php

/aligk.php

/alpha.php

/an.php

/as.php

/ass.php

/autoload_classmap.php

/av.php

/aw.php

/axx.php

/bal.php

/bb.php

/BDKR28WP.php

/bengi.php

/bgymj.php

/bless.php

/bless4.php

/bogles.php

/bs1.php

/bthil.php

/bypltspd.php

/byrgo.php

/cabs.php

/cache.php

/cacheee.php

/cgi-bin/

/cgi-bin/7.php

/cgi-bin/8.php

/cgi-bin/a5.php

/cgi-bin/index.php

/chosen.php

/class-t.api.php

/class.php

/class19.php

/class20.php

/classwithtostring.php

/classwithtostring.php?p=

/cli/7.php

/config.php

/configPCJ/f35.php

/content.php

/control.php

/css/autoload_classmap.php

/defaults.php

/dev.php

/edit.php

/eee.php

/esp.php

/ew.php

/f35_S.php

/f35.php

/f6.php

/fe5.php

/fetch.php

/fff.php

/fi.php

/file.php

/file18.php

/file21.php

/file31.php

/file48.php

/file61.php

/fine.php

/flower.php

/ftde.php

/function/function.php

/fvvff.php

/fx.php

/g.php

/gecko-new.php

/gelay.php

/gettest.php

/ghhjh.php

/god4m.php

/goods.php

/gptsh.php

/gssdd.php

/hplfuns.php

/images/simple.php

/in.php

/includes/7.php

/index.php

/index/8.php

/index/function.php

/inege.php

/info.php

/inputs.php

/ioxi-o.php

/item.php

/jp.php

/k.php

/kbfr.php

/kj.php

/lock360.php

/makeasmtp.php

/makeasmtp.php?p=

/mari.php

/moon.php

/motu.php

/ms-edit.php

/nano.php

/new.php

/NewFile.php

/no1.php

/no18.php

/o.php

/ok.php

/ol.php

/pcp/simple.php

/plss3.php

/plugins.php

/plugins/7.php

/prv8.php

/qqa.php

/randkeyword.PhP7

/read.php

/rip.php

/s.php

/sbhu.php

/seo.php

/sf.php

/simple.php

/style.php

/swallowable.php

/system.php

/tea.php

/test1.php

/themes.php

/tinyfilemanager.php

/tinyfilemanager.php?p=

/tmp.php

/turkshell.php

/txets.php

/update/f35.php

/uploads/

/uuu.php

/vee.php

/w2025.php

/we.php

/well-known/nano.php

/wen.php

/wi.php

/wk/index.php

/wordpress/8.php

/wp-act.php

/wp-admin/8.php

/wp-admin/a.php

/wp-admin/alfa.php

/wp-admin/css/bolt.php

/wp-admin/css/colors

/wp-admin/css/colors/ectoplasm/

/wp-admin/images/

/wp-admin/js/

/wp-admin/js/fi.php

/wp-admin/js/widgets/

/wp-admin/nano.php

/wp-admin/network/index.php

/wp-admin/user/index.php

/wp-blog.php

/wp-conf.php

/wp-content/

/wp-content/8.php

/wp-content/a5.php

/wp-content/admin.php

/wp-content/plugins/core-plugin/include.php

/wp-content/plugins/hellopress/wp_filemanager.php

/wp-content/plugins/index.php

/wp-content/plugins/pwnd/as.php

/wp-content/plugins/WordPressCore/

/wp-content/themes/

/wp-content/themes/admin.php

/wp-content/themes/hideo/network.php

/wp-content/themes/index.php

/wp-content/uploads/

/wp-content/uploads/2021/02/index.php

/wp-content/uploads/index.php

/wp-good.php

/wp-includes/

/wp-includes/8.php

/wp-includes/a5.php

/wp-includes/css/dist/

/wp-includes/css/index.php?p=

/wp-includes/html-api/

/wp-includes/ID3/

/wp-includes/images/

/wp-includes/IXR/test1.php

/wp-includes/js/crop/cropper.php

/wp-includes/js/jquery/

/wp-includes/l10n/

/wp-includes/nano.php

/wp-includes/PHPMailer/

/wp-includes/Requests/src/Response/about.php

/wp-includes/SimplePie/

/wp-includes/Text/Diff/Engine/about.php

/wp-kd4xalrg7m.php

/wp-login.php

/wp-michan.php

/wp-mter.php

/wp-the.php

/wp-trackback.php

/wp-update.php

/wp.php

/wp1.php

/wpx.php

/ws.php

/x1da.php

/xa.php

/xmlrpc.php

/xmrlpc.php

/xozx.php

/xqq.php

/xwpg.php

/xwx1.php

/xx.php

/zample.php

 

 

 

—

Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu

Twitter|

An active campaign has been observed targeting internet-exposed instances running ComfyUI, a popular stable diffusion platform, to enlist them into a cryptocurrency mining and proxy botnet.

“A purpose-built Python scanner continuously sweeps major cloud IP ranges for vulnerable targets, automatically installing malicious nodes via ComfyUI-Manager if no exploitable node is already present,” Censys security researcher Mark Ellzey said in a report published Monday.

The attack activity, at its core, systemically scans for exposed ComfyUI instances and exploits a misconfiguration that allows remote code execution on unauthenticated deployments through custom nodes.

Upon successful exploitation, the compromised hosts are added to a cryptomining operation that mines Monero via XMRig and Conflux via lolMiner, as well as to a Hysteria V2 botnet. Both of them are centrally managed through a Flask-based command-and-control (C2) dashboard.

Data from the attack surface management platforms shows that there are more than 1,000 publicly-accessible ComfyUI instances. While not a huge number, it’s sufficient for a threat actor to run opportunistic campaigns to reap financial gains.

Censys said it discovered the campaign last month after identifying an open directory on 77.110.96[.]200, an IP address associated with a bulletproofing hosting services provider, Aeza Group. The directory is said to have contained a previously undocumented set of tools to pull off the attacks.

This includes two reconnaissance tools to enumerate exposed ComfyUI instances across cloud infrastructure, identify those that have ComfyUI-Manager installed, and shortlist those that are susceptible to the code execution exploit.

One of the two scanner Python scripts also functions as an exploitation framework that weaponizes ComfyUI’s custom nodes to achieve code execution. This technique, some aspects of which were documented by Snyk in December 2024, takes advantage of the fact that some custom nodes accept raw Python code as input and run it directly without requiring any authentication.

As a result, an attacker can scan exposed ComfyUI instances for specific custom node families that support arbitrary code execution, effectively turning the service into a channel for delivering attacker-controlled Python payloads. Some of the custom node families that the attack particularly looks for are listed below –

• Vova75Rus/ComfyUI-Shell-Executor
• filliptm/ComfyUI_Fill-Nodes
• seanlynch/srl-nodes
• ruiqutech/ComfyUI-RuiquNodes

“If none of the target nodes are present, the scanner checks whether ComfyUI-Manager is installed,” Censys said. “If available, it installs a vulnerable node package itself, then retries exploitation.”

It’s worth noting that “ComfyUI-Shell-Executor” is a malicious package created by the attacker to fetch a next-stage shell script (“ghost.sh”) from the aforementioned IP address. Once code execution is obtained, the scanner removes evidence of the exploit by clearing the ComfyUI prompt history.

A newer version of the scanner also incorporates persistence mechanisms that cause the shell script to be downloaded every six hours and the exploit workflow to be re-executed every time ComfyUI is started.

The shell script, for its part, disables shell history, kills competing miners, launches the miner process, anduses the LD_PRELOAD hook to hide a watchdog process that ensures the miner process is revived in the event it gets terminated.

In addition, the miner program is copied to multiple locations so that even if the primary install directory gets wiped, it can be launched from one of the fallback locations. A third mechanism the malware uses to ensure persistence is the use of the “chattr +i” command to lock the miner binaries and prevent them from being deleted, modified, or renamed, even by the root user.

“There is also dedicated code targeting a specific competitor, ‘Hisana’ (which is referenced throughout the code), which appears to be another mining botnet,” Censys explained. “Rather than just killing it, ghost.sh overwrites its configuration to redirect Hisana’s mining output to its own wallet address, then occupies Hisana’s C2 port (10808) with a dummy Python listener so Hisana can’t restart.”

The infected hosts are commandeered by means of a Flask-based C2 panel, which allows the operator to push instructions or deploy additional payloads, including a shell script that installs Hysteria V2 with the likely goal of selling compromised nodes as proxies. 

Further analysis of the attacker’s shell command history has revealed an SSH login attempt as root to the IP address 120.241.40[.]237, which has been linked to an ongoing worm campaign targeting exposed Redis database servers.

“Much of the tooling in this repository appears hastily assembled, and the overall tactics and techniques might initially suggest unsophisticated activity,” Censys said. “Specifically, the operator identifies exposed ComfyUI instances running custom nodes, determines which of those nodes expose unsafe functionality, and then uses them as a pathway to remote code execution.”

“The infrastructure accessed by the operator further supports the idea that this activity is part of a broader campaign focused on discovering and exploiting exposed services, followed by the deployment of custom tooling for persistence, scanning, or monetization.”

The discovery coincides with the emergence of multiple botnet campaigns in recent weeks –

• Exploitation of command injection vulnerabilities in n8n (CVE-2025-68613) and Tenda AC1206 routers (CVE-2025-7544) to add them to a Mirai-based botnet known as Zerobot.
• Exploitation of vulnerabilities in Apache ActiveMQ (CVE-2023-46604), Metabase (CVE-2023-38646), and React Server Components (CVE-2025-55182 aka React2Shell) to deliver Kinsing, a persistent malware used for cryptocurrency mining and launching Distributed Denial of Service (DDoS) attacks.
• Exploitation of a suspected zero-day vulnerability in fnOS Network Attached Storage (NAS) to target internet-exposed systems and implant them with a DDoS malware called Netdragon. “NetDragon establishes an HTTP backdoor interface on compromised devices, enabling attackers to remotely access and control the infected systems,” QiAnXin XLab said. “It tampers with the ‘hosts’ file to hijack the official Feiniu NAS system update domains, effectively preventing devices from obtaining system updates and security patches.”
• Expansion of RondoDox‘s exploit list to 174 different vulnerabilities, while shifting the attack methodology from a “shotgun approach” to more targeted and recent flaws that are more likely to lead to infections.
• Exploitation of known security vulnerabilities to deploy a new variant of Condi, a Linux malware that turns compromised linux devices into bots capable of conducting DDoS attacks. The binary references a string “QTXBOT,” either indicating the name of the forked version or the internal project name.
• Brute-force attacks against SSH servers to launch an XMRig miner and generate illicit cryptocurrency revenue as part of an active cryptojacking operation called Monaco. Weak SSH passwords have also been used as attack pathways to deploy malware that establishes persistence, kills competing miners, connects to an external server, and performs a ZMap scan to propagate the malware in a worm-like fashion to other vulnerable hosts.

“Botnet activity has surged over the last year, with Spauhaus noting 26% and 24% increases in the two six-month periods Jan – Jun 2025 and Jul – Dec 2025, respectively,” Pulsedive said.

“This increase is associated with bots and nodes appearing in the United States. The increase also stems from the availability of source code for botnets such as Mirai. Mirai offshoots and variants are responsible for some of the largest DDoS attacks by volume.”

Ravie LakshmananApr 07, 2026Vulnerability / Threat Intelligence

A China-based threat actor known for deploying Medusa ransomware has been linked to the weaponization of a combination of zero-day and N-day vulnerabilities to orchestrate “high-velocity” attacks and break into susceptible internet-facing systems.

“The threat actor’s high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors in Australia, the United Kingdom, and the United States,” the Microsoft Threat Intelligence team said.

Attacks mounted by Storm-1175 have also leveraged zero-day exploits, in some cases, before they have been publicly disclosed, as well as recently disclosed vulnerabilities to obtain initial access. Select incidents have involved the threat actor chaining together multiple exploits (e.g., OWASSRF) for post-compromise activity.

Upon gaining a foothold, the financially motivated cybercriminal actor swiftly moves to exfiltrate data and deploy Medusa ransomware within a span of a few days, or, in select incidents, within 24 hours.

To aid in these efforts, the group creates persistence by creating new user accounts, deploying web shells or legitimate remote monitoring and management (RMM) software for lateral movement, conducting credential theft, and interfering with the normal functioning of security solutions, before dropping the ransomware.

Since 2023, Storm-1175 has been linked to the exploitation of more than 16 vulnerabilities –

Both CVE-2025-10035 and CVE-2026-23760 are said to have been exploited as zero-days prior to them being publicly disclosed.As of late 2024, the hacking crew has exhibited a flair for targeting Linux systems, including exploiting vulnerable Oracle WebLogic instances across several organizations. However, the exact vulnerability that was being weaponized in these attacks remains unknown.

“Storm-1175 rotates exploits quickly during the time between disclosure and patch availability or adoption, taking advantage of the period where many organizations remain unprotected,” Microsoft said.

Some of the notable tactics observed in these attacks are as follows –

• Using living-off-the-land binaries (LOLBins), including PowerShell and PsExec, along with Impacket for lateral movement.
• Relying on PDQ Deployer for both lateral movement and payload delivery, including Medusa ransomware, across the network.
• Modifying Windows Firewall policies to enable Remote Desktop Protocol (RDP) and deliver malicious payloads to other devices.
• Carrying out credential dumping using Impacket and Mimikatz.
• Configuring Microsoft Defender Antivirus exclusions to prevent it from blocking ransomware payloads.
• Leveraging Bandizip and Rclone for data collection and exfiltration, respectively.

The bigger implication here is that RMM tools like AnyDesk, Atera, MeshAgent, ConnectWise ScreenConnect, or SimpleHelp are becoming dual-use infrastructure for covert operations, as they allow threat actors to blend malicious traffic into trusted, encrypted platforms and reduce the likelihood of detection.