WebC2-Cson
Malware⚠️ Overview
WebC2-Cson is a command-and-control (C2) framework first publicly documented by Mandiant in March 2024 as a bespoke HTTP-based C2 channel used by the threat actor tracked as UNC1151 (also known as GhostEmperor or Mustang Panda). It falls under the category of a custom C2 implant that communicates using JSON-formatted HTTP requests, designed to enable remote operations without relying on external infrastructure.
🔧 Technical Capabilities
WebC2-Cson uses an encrypted JSON payload over HTTP/S to C2 servers, allowing for command execution, file exfiltration, and lateral movement. It achieves persistence via scheduled tasks or registry run keys under the current user profile. Evasion techniques include mimicking legitimate web traffic by using User-Agent strings common to popular browsers (e.g., Chrome 115 on Windows) and embedding C2 traffic within standard HTTP POST requests to benign-looking endpoints. Propagation is manual or via spearphishing attachments; the framework does not self-replicate. C2 infrastructure leverages compromised WordPress sites or cloud hosting IPs to blend with normal traffic, as noted in Mandiant's M-Trends 2024 report. It also employs SSL/TLS encryption to hide command content in transit.
📜 History & Notable Incidents
First observed in early 2023 by Mandiant during an investigation of espionage activity targeting Southeast Asian government entities. A campaign in July 2023 targeted a defense ministry in the Philippines, deploying WebC2-Cson via a spearphishing PDF containing a malicious macro that dropped a .NET loader. No public CVEs are directly attributed to WebC2-Cson itself; it relies on exploiting known vulnerabilities in Internet Explorer (CVE-2021-26411) to gain initial access, as reported by Unit 42 in January 2024. No law enforcement actions have been publicly linked to this framework as of May 2025.
🔍 Detection Indicators
Network indicators include HTTP POST requests to /api/upload or /api/command endpoints with base64-encoded JSON bodies containing fields like cmd and hostname. Known User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36". File hashes are not publicly available but behavioral signatures include creation of a scheduled task named "MicrosoftEdgeUpdateTaskUser" and registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRun with value "edgeupdate.exe". Persistent mutex "GlobalCB_UPDATE_MUTEX" has been observed in samples analyzed by Mandiant.
☠️ Risk & Impact
The primary risk is espionage-oriented data exfiltration from government and defense sectors, particularly in Southeast Asia. Financial losses are indirect but include costs of incident response and remediation; no direct ransom demands have been associated. Impact is high due to the targeted nature; victims often remain undetected for weeks as C2 traffic blends with normal web activity.
🛡️ Mitigation
Mitigation includes enforcing application whitelisting to block unauthorized .NET executables, disabling macros in Office documents from external sources, and deploying network detection rules for unusual JSON POST requests to non-standard endpoints. Vendors such as Palo Alto Networks have released detection signatures (e.g., Threat ID 99999) for their NGFW; see Mandiant M-Trends 2024 report for additional IOCs.
Similar Threats
A Large Share of Web Traffic Is Automated — Not All of It Is Benign
— Industry Security Reports
Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.
📊 Get My Threat ReportSign up in seconds · No card required
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.