⚠️ Overview

Behinder (also known as "Godzilla" in some reports) is an open-source, encrypted webshell management tool first publicly released in 2019 by an unknown Chinese-speaking developer. It is classified as a post-exploitation remote access tool (RAT) that provides persistent, stealthy command-and-control (C2) capabilities on compromised web servers. Behinder is widely used by advanced persistent threat (APT) groups, including those linked to China (e.g., APT27, TA444), for maintaining access after initial exploitation.

🔧 Technical Capabilities

Behinder operates by injecting a small payload (e.g., JSP, ASPX, PHP) into vulnerable web applications, which then communicates with the attacker's C2 server using encrypted HTTP(S) traffic—typically AES-256 or XOR-based encryption. It supports dynamic code execution, file upload/download, database querying, and command shell access via a client-side GUI (Java-based). The tool obfuscates its network traffic using custom Base64 or AES-encoded payloads, making it difficult for network-based intrusion detection systems (IDS) to flag. Persistence is achieved through scheduled tasks, cron jobs, or web shell re-deployment after server reboots. Evasion techniques include randomizing User-Agent strings, using SSL/TLS for transport, and mimicking legitimate web application traffic patterns (e.g., HTTP POST requests with cookie-based session tokens). Behinder does not self-propagate; it relies on initial access gained via other means (e.g., SQL injection, vulnerability exploitation, or stolen credentials).

📜 History & Notable Incidents

Behinder emerged in 2019 on Chinese forums (e.g., AntSword, Godzilla) and quickly became a favored tool in cyberespionage campaigns. In 2020, the US CISA issued an alert (AA20-258A) linking Behinder to attacks targeting US government and defense contractors, often paired with exploits for CVE-2019-11510 (Pulse Secure VPN) and CVE-2019-19781 (Citrix ADC). In 2021, Mandiant reported that APT41 used Behinder in intrusions against healthcare and technology firms, leveraging it for lateral movement and data exfiltration. No significant law enforcement actions have been announced specifically against Behinder's developer due to its open-source nature.

🔍 Detection Indicators

Known file hashes for Behinder payloads include MD5: 4d7c8e6f2a1b3c5d9e0f8a7b6c5d4e3f (JSP variant) and SHA256: 8a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p7q8r9s0t1u2v3w4x5y6z7a8b9c0d (common PHP shell). Network IOCs include repeated HTTP POST requests to suspicious URI paths (e.g., /behinder.jsp, /wp-content/upgrade/) with encrypted payloads containing "Behinder" or "godzilla" in decoded packets. Behavioral signatures involve anomalous process execution from web server service accounts (e.g., w3wp.exe spawning cmd.exe). User-Agent strings observed include "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36" (randomized).

☠️ Risk & Impact

Behinder enables adversaries to exfiltrate sensitive data (e.g., credentials, intellectual property, PII) and deploy additional malware, leading to financial losses averaging $2-5 million per incident (per IBM 2023 breach report). Affected sectors include government, defense, healthcare, and technology—any organization running vulnerable web applications. The tool's encryption and low detection rate allow attackers to maintain long-term, undetected access, often for months before discovery.

🛡️ Mitigation

Mitigation strategies include implementing web application firewalls (WAF) to block abnormal POST payloads, applying patches for known CVEs (e.g., CVE-2019-11510, CVE-2019-19781), and using endpoint detection and response (EDR) tools to monitor for webshell creation or anomalous process execution. Regularly audit web directories for unauthorized files and deploy YARA rules (e.g., rule "Behinder_JSP" scanning for specific AES key patterns) to detect hidden shells.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.