Cybersecurity researchers have identified a cluster of servers hosting JSPSpy, a Java-based webshell first observed in 2013, now being deployed alongside a rebranded file management tool. The investigation revealed that two of the four servers were hosting not only JSPSpy but also a tool labeled “filebroser” – a slightly renamed version of the open-source File Browser project. This server presented the JSPSpy interface through port 80, displaying the characteristic login page associated with the webshell tool. The webshell features a graphical interface enabling remote access and file management capabilities, making it accessible even to less experienced threat actors seeking to maintain persistent access to compromised networks. The login interface maintains nearly identical visual elements to the legitimate File Browser project, including the same favicon, with the only notable difference being the modified name in the page title. Further port scanning revealed the presence of the rebranded “filebroser” tool operating on port 8001 on two servers. Analysts at Hunt.io identified four servers presenting the characteristic JSPSpy webpage title, uncovering an unexpected addition to the attackers’ toolkit. The login page consistently displays “JspSpy Codz By-Ninety” as its title, providing a straightforward detection opportunity. The domain associated with this server, learning.gensci-china[.]com, appears to be linked to a biopharmaceutical company in Jilin Province, China, though the connection to webshell activity remains unclear. Originally developed nearly a decade ago, JSPSpy has recently been linked to sophisticated threat actors including the Lazarus Group, which reportedly deployed it against research organizations. Most instances operate on standard HTTP port 80, likely an attempt to blend with legitimate web traffic and evade detection based on unusual port activity. The malicious infrastructure spans multiple hosting providers across China and the United States, utilizing a mix of cloud services and traditional ISPs to establish command and control servers. More sophisticated identification relies on examining HTTP response headers, which typically include “Server: JSP3/2.0.14” and an “Ohc-Cache-Hit” field containing a random five-character alphabetical string. The presence of both tools on the same infrastructure demonstrates how threat actors continue leveraging webshells as low-footprint methods for maintaining persistent access. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. One server of particular interest (124.235.147[.]90) hosted a TLS certificate issued by DigiCert for dgtmeta[.]com, first observed in September 2024 and still active as of March 2025.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 13 Mar 2025 09:00:08 +0000