Wednesday, May 7, 2025
HomeBrowserHackers Exploiting JSPSpy To Manage Malicious Webshell Networks

Hackers Exploiting JSPSpy To Manage Malicious Webshell Networks

Published on

SIEM as a Service

Follow Us on Google News

Cybersecurity researchers have recently identified a cluster of JSPSpy web shell servers featuring an unexpected addition, Filebroser, a rebranded version of the open-source File Browser file management tool.

This discovery sheds light on how attackers continue to leverage web shells for persistent access and post-compromise operations while blending into legitimate infrastructure.

JSPSpy With Webshell Infrastructure

JSPSpy, developed in Java and first observed in 2013, has been utilized by various threat actors, including the Lazarus Group, which reportedly targeted a research organization.

- Advertisement - Google News

The web shell provides a graphical interface for remote access and file management, making it accessible even to inexperienced operators.

Recent analysis revealed four servers hosting JSPSpy across multiple providers in China and the United States.

JSPSpy login page hosted at learning.gensci-china[.]com.

These include CHINANET Jilin Province Network, Huawei Public Cloud Service Technologies, China Mobile Communications Corporation, and Multacom Corporation.

Most servers operate on port 80 to blend with legitimate HTTP traffic, though one instance in China uses port 8888.

Notably, one server (124.235.147[.]90) hosts a TLS certificate issued by DigiCert for dgtmeta[.]com, first observed in September 2024 and still active as of March 2025.

Certificate data for *dgtmeta[.]com in Hunt

Further investigation uncovered a web-facing login panel labeled “filebroser” on two servers (124.235.147[.]90 and 74.48.175[.]44).

This panel operates on port 8001 and closely resembles the legitimate File Browser project, raising questions about its purpose and potential modifications.

Renamed File Browser login page.

The filebroser panel appears to be a slightly altered version of the open-source File Browser tool, with its name changed and the same favicon retained from the original project.

Internet scans for the login page titled “登录 – filebroser” (translated as “Login – filebroser”) yielded fewer than ten results, indicating limited deployment likely specific to a single operator.

Although it remains unclear whether filebroser functions identically to its open-source counterpart or has been modified for malicious purposes, its presence alongside JSPSpy suggests it may serve as an operational tool for threat actors.

Both tools share overlapping HTTP headers, such as the “Ohc-Cache-Hit” field containing random five-character strings, which can aid defenders in refining detection queries.

Legitimate File Browser login page.

Detection Strategies for Defenders

Identifying JSPSpy servers can be achieved through their consistent login page title (“JspSpy Codz By-Ninty”) or HTTP response headers like “Server: JSP3/2.0.14” and “Ohc-Cache-Hit.”

For large-scale searches, regex patterns (\b[a-zA-Z]{5}\b) can be applied to detect these headers effectively.

The overlap between JSPSpy and filebroser provides additional indicators for tracking malicious activity.

Combining weak signals such as page titles, HTTP headers, and response behaviors enables defenders to strengthen visibility into attacker infrastructure.

Web shells like JSPSpy remain a favored tool for cybercriminals due to their low footprint and ability to blend into legitimate environments.

Proactively monitoring these deployments is crucial for understanding attacker behavior and mitigating threats.

Indicators of Compromise (IOCs)

IP AddressASNDomain(s)LocationNotes
124.235.147[.]90CHINANET Jilin province networklearning.gensci-china[.]comChinaJSPSpy: Port 80; Filebroser: 8001
113.45.180[.]224Huawei Cloud Service data centerN/AChinaJSPSpy: Port 80
74.48.175[.]44Multacom CorporationN/AUnited StatesJSPSpy: Port 80; Filebroser: 8001
22.176.159[.]209Henan Mobile Communications Co., LtdN/AChinaJSPSpy: Port 8888

This development underscores the importance of layered detection strategies to counter evolving cyber threats effectively.

Are you from SOC/DFIR Teams?: Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free

Kaaviya
Kaaviya
Kaaviya is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.

Latest articles

Severe Kibana Flaw Allowed Attackers to Run Arbitrary Code

A newly disclosed security vulnerability in Elastic’s Kibana platform has put thousands of businesses...

IT Worker from Computacenter Let Girlfriend Into Deutsche Bank’s Restricted Areas

A former information technology manager has filed a whistleblower lawsuit alleging a major security...

NSO Group Ordered to Pay $168 Million to WhatsApp in US Spyware Verdict

A federal jury in California has ordered Israeli spyware maker NSO Group to pay...

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations,...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Severe Kibana Flaw Allowed Attackers to Run Arbitrary Code

A newly disclosed security vulnerability in Elastic’s Kibana platform has put thousands of businesses...

IT Worker from Computacenter Let Girlfriend Into Deutsche Bank’s Restricted Areas

A former information technology manager has filed a whistleblower lawsuit alleging a major security...

NSO Group Ordered to Pay $168 Million to WhatsApp in US Spyware Verdict

A federal jury in California has ordered Israeli spyware maker NSO Group to pay...