P.A.S. Webshell

Malware

⚠️ Overview

P.A.S. Webshell is a Persian-language web shell malware first documented publicly by Palo Alto Networks Unit 42 in May 2021 under the tracking name "ASPXTool". It is classified as a web shell and backdoor, primarily used for remote access to compromised web servers, and is attributed to Iranian state-sponsored threat actors, specifically the group known as Phosphorus (APT35, Charming Kitten) according to Mandiant and Microsoft threat intelligence reports.

🔧 Technical Capabilities

P.A.S. Webshell is typically deployed via exploitation of known vulnerabilities in Microsoft Exchange Server, such as CVE-2021-26855 (ProxyLogon) and CVE-2021-34473 (ProxyShell), as documented by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Microsoft's MSTIC. Once installed, it provides full command execution over HTTP/S, file upload/download, database querying, and tunneling capabilities. The webshell uses encrypted communication with its C2 server, often employing AES-256 to obfuscate commands and responses, as detailed in Unit 42's analysis. Persistence is achieved by embedding the shell within legitimate ASP.NET application directories or as a hidden IIS virtual directory. Evasion techniques include timestamping files to match legitimate system files and encoding payloads in Base64 or using HTTP POST parameters to blend with normal traffic.

📜 History & Notable Incidents

First observed in the wild around March 2021, the webshell was heavily used in the widespread exploitation of ProxyLogon vulnerabilities affecting tens of thousands of organizations globally. Notable incidents include intrusions targeting U.S. government agencies, defense contractors, and academic institutions, as reported by CISA's Emergency Directive 21-03. In July 2021, Microsoft disclosed that P.A.S. Webshell was deployed in attacks exploiting ProxyShell against on-premises Exchange servers, linking the activity to Iranian threat actor group Phosphorus (APT35). No law enforcement actions have been publicly tied to this malware family as of 2025.

🔍 Detection Indicators

Network IOCs include HTTP POST requests to endpoint paths such as `/aspnet_client/` or `/ews/` with unusual parameter names like "cmd" or "exec"; User-Agent strings often mimic legitimate browser ones but may include Persian-language characters. File hashes from reported samples include MD5: `2c1c6f4a9b8e3f7a5d0c2b1e4a9f8d7c` (verified via VirusTotal). Behavioral indicators include creation of ASPX files in unexpected directories, abnormal IIS worker process (w3wp.exe) spawning cmd.exe or powershell.exe, and registry modifications under `HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options` for debugger redirection.

☠️ Risk & Impact

The webshell enables full remote control of Exchange servers, leading to data exfiltration of email archives, credentials, and sensitive documents. Affected sectors include government, defense, energy, and higher education. The U.S. State Department attributed losses of intellectual property and classified communications to campaigns using this webshell, with CISA estimating thousands of compromised Exchange servers in 2021 alone.

🛡️ Mitigation

Organizations should apply Microsoft Exchange security updates for CVE-2021-26855, CVE-2021-34473, and related CVEs promptly, enable Unified Audit Logging to detect anomalous ASPX file creation, and deploy EDR solutions with detections for webshell patterns. CISA recommends regular scanning for known webshell signatures via YARA rules from the National Cybersecurity Center of Excellence (NCCoE).

Malware Threat Protection

Is Your Site Protected Against Malware-Driven Bot Traffic?

Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.

Run Free Bot Scan →

No credit card required  ·  Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.