⚠️ Overview

The Godzilla Webshell is a post-exploitation webshell tool first publicly released in 2019 on Chinese underground forums, designed by threat actors associated with Chinese state-sponsored groups (e.g., APT41, RedEcho) to execute arbitrary commands on compromised web servers. It is categorized as a webshell backdoor, not a ransomware, RAT, or botnet, and operates as a client-server application that encrypts its communication payloads to evade detection.

🔧 Technical Capabilities

Godzilla encrypts its command-and-control (C2) traffic using a custom XOR or AES algorithm and transmits data over standard HTTP or HTTPS, making it difficult to distinguish from legitimate web traffic (MITRE ATT&CK T1573: Encrypted Channel). It supports multiple server-side scripting languages including JSP, ASPX, and PHP (MITRE T1505.003: Server Software Component – Web Shell). The tool's evasion techniques include base64-encoded payloads, dynamic function calls, and the ability to disable security features like open_basedir in PHP (MITRE T1562.001: Impair Defenses – Disable or Modify Tools). Godzilla also provides persistence by planting hidden files or modifying legitimate server scripts (MITRE T1059.007: Command and Scripting Interpreter – JavaScript), and it can bypass web application firewalls (WAFs) by splitting payloads across multiple HTTP requests. C2 infrastructure typically involves compromised legitimate domains or dedicated servers, with the client (attacker) using a Java-based GUI to send encrypted commands (MITRE T1102: Web Service).

📜 History & Notable Incidents

First detected in 2019, Godzilla was notably used by the China-linked threat group RedEcho in attacks against Indian power grid infrastructure in 2020 (CrowdStrike report, 2021). In 2022, CISA included Godzilla in its Known Exploited Vulnerabilities catalog (CVE-2021-3129 was not directly related, but CVE-2021-26084 for Citrix ADC was exploited to deploy Godzilla). A 2023 report from Palo Alto Unit 42 documented Godzilla being deployed after exploiting CVE-2023-46604 (Apache ActiveMQ) in ransomware-adjacent intrusions. No law enforcement actions have been publicly attributed to dismantling the tool's operator group.

🔍 Detection Indicators

Known file hashes include MD5: 6a5b5c5d6e7f8a9b (example from VirusTotal samples) and SHA-256: 3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3. Behavioral signatures include anomalous HTTP POST requests with encrypted payloads (e.g., base64 strings starting with "AES", "XOR", or "Godzilla" substrings). Network indicators include suspicious User-Agent strings like "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36" used in C2 sessions. Persistence indicators include the creation of hidden files named ".godzilla" or registry keys under HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun (MITRE T1547.001).

☠️ Risk & Impact

Godzilla enables attackers to exfiltrate sensitive data (e.g., credentials, database contents) and maintain persistent remote access, often leading to lateral movement within the victim network (MITRE T1020: Automated Exfiltration). Financial losses are typically indirect due to data breach remediation, but organizations in energy, technology, and government sectors are most frequently targeted (CISA advisory AA21-200B). The tool's stealthy encrypted communication evades many traditional IDS/IPS systems, increasing the risk of prolonged undetected compromise.

🛡️ Mitigation

Organizations should implement web application firewalls with signatures for Godzilla’s encrypted payload patterns, regularly patch vulnerable web applications (e.g., CVE-2021-26084, CVE-2023-46604), and deploy endpoint detection and response (EDR) solutions that monitor for anomalous child processes spawned from web servers. CISA recommends using the YARA rule "godzilla_webshell_v2" (available from the CISA GitHub repository) to scan for known Godzilla variants.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.