{
	"id": "f35976fe-8241-4ebe-914a-4acc26755302",
	"created_at": "2026-04-10T03:21:16.04086Z",
	"updated_at": "2026-04-10T13:12:46.697021Z",
	"deleted_at": null,
	"sha1_hash": "25140d8a5430b0b35e506251815904979303bec5",
	"title": "Analyzing Attacks Against Microsoft Exchange Server With China Chopper Webshells",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 174267,
	"plain_text": "Analyzing Attacks Against Microsoft Exchange Server With China\r\nChopper Webshells\r\nBy Jeff White\r\nPublished: 2021-03-08 · Archived: 2026-04-10 02:36:05 UTC\r\nThe Role of the China Chopper Webshell\r\nBy leveraging CVE-2021-27065, a post-authentication arbitrary file write vulnerability, an attacker is able to\r\neffectively inject code into an ASPX page for Exchange Offline Address Book (OAB). When this page is\r\ncompiled with the injected webshell, the attacker can send other code and gain further access. The China Chopper\r\nwebshell is a lightweight, one-line script that is observed being dropped in these attacks by the use of the\r\nPowerShell Set-OabVirtualDirectory cmdlet. This one-line webshell is relatively simple from the server\r\nperspective and has been observed in attacks since at least 2013, when FireEye reported on it.\r\nThe key detail here is that the China Chopper webshell is injected into a pre-existing OAB ASPX page that\r\ncontains configuration information unrelated to the webshell. It’s been reported that there are thousands of\r\ncompromises, and any on-premises Exchange Server that is exposed to the internet should assume it’s been\r\nscanned numerous times. Knowing this, and knowing that thousands of companies this week have begun the\r\nlaborious chore of responding to these attacks within their infrastructure, it didn’t take long before these OAB files\r\nstarted popping up on VirusTotal (VT).\r\nTo identify the specific OAB configuration files we’re interested in, I created a small YARA rule to identify some\r\nof the observed templates for the China Chopper webshell as they exist within OAB configurations.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\nrule webshell_chinachopper_oab\r\n{\r\nmeta:\r\nauthor = \"Jeff White (Palo Alto Networks) @noottrak\"\r\ndate = \"02MAR2021\"\r\nhash01 = \"e8ea17cd1de6d3389c792cce8c0ff1927a6386f0ef32ab0b097763de1f86ffc8\"\r\nhash02 = \"34f9944a85ffba58f3fa60c5dc32da1ce6743dae261e1820ef6c419808757112\"\r\nhash03 = \"55fbfab29f9d2c26f81f1ff901af838110d7f76acc81f14b791a8903aa8b8425\"\r\nhash04 = \"6e75bbcdd22ec9df1c7796e381a83f88e3ae82f5698c6b31b64d8f11e9cfd867\"\r\nhttps://unit42.paloaltonetworks.com/china-chopper-webshell/\r\nPage 1 of 12\n\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\nstrings:\r\n// Detect OAB file\r\n$OAB01 = \"ExternalUrl\" ascii // Contains webshell\r\n$OAB02 = \"InternalUrl\" ascii\r\n$OAB03 = \"ExchangeVersion\" ascii\r\n$OAB04 = \"WhenChangedUTC\" ascii\r\n// Detect injected Url variants\r\n$HTTP01 = \"http://f/\" ascii nocase\r\n$HTTP02 = \"http://g/\" ascii nocase\r\n$HTTP03 = \"http://p/\" ascii nocase\r\n// Detect ChinaChopper variants\r\n$websh01 = \"\u003cscript language=\\\"JScript\\\"\" ascii nocase\r\n$websh02 = \"\u003cscript language=\\\"c#\\\"\" ascii nocase\r\n$websh03 = \"\u003cscript runat=\\\"server\\\"\" ascii nocase\r\n// Detect webshell anchors\r\n$cc01 = \"Request\" ascii nocase\r\n$cc02 = \"Page_Load\" ascii nocase\r\n// Detect injected pattern, no webshell\r\n$non = /http:\\/\\/[a-z]\\/[a-z0-9]+/\r\ncondition:\r\n(all of ($OAB*) and 1 of ($HTTP*) and 1 of ($websh*) and all of ($cc*))\r\nor\r\n(all of ($OAB*) and $non)\r\n}\r\nhttps://unit42.paloaltonetworks.com/china-chopper-webshell/\r\nPage 2 of 12\n\n36\r\n37\r\n38\r\n39\r\n40\r\n41\r\n42\r\n43\r\n44\r\n45\r\n46\r\n47\r\n48\r\n49\r\n50\r\n51\r\n52\r\n53\r\n54\r\n55\r\n56\r\n57\r\n58\r\n59\r\n60\r\n61\r\nhttps://unit42.paloaltonetworks.com/china-chopper-webshell/\r\nPage 3 of 12\n\n62\r\n63\r\n64\r\n65\r\n66\r\n67\r\n68\r\nFor reference, this is how the China Chopper webshell typically manifests itself within the OAB configurations –\r\nspecifically in the ExternalUrl field.\r\nAdditional variants will be discussed throughout the document, but this is the most prevalent.\r\nAs of March 4, 2021, there are 81 unique matching samples uploaded to VT.\r\nAs FireEye documented in their 2013 analysis of this webshell, China Chopper is technically split into two parts: a\r\nclient and a server. When the client engages with the server, in most variants, it provides a “key” to act as\r\nauthentication before executing whatever code the attacker supplies.\r\nIn the above China Chopper example, the key is \" NO9BxmCXw0JE \". This provides us with a relatively unique\r\nidentifier to compare to the other files. But why stop there?\r\nOAB Artifacts\r\nThe OAB configuration contains a wealth of information such as when the file was created, when it was last\r\nmodified, the Exchange version and numerous other server-specific related data points. These allow us to take a\r\ndeeper look at the attacks from a new perspective and gain a better understanding of the attack campaigns\r\ninvolved.\r\nOn March 2, 2021, Volexity published their blog, “Operation Exchange Marauder: Active Exploitation of Multiple\r\nZero-Day Microsoft Exchange Vulnerabilities,” which provided the first in-depth look at the attacks on Exchange\r\nServers. However, we know that on Jan. 5, 2021, Twitter user @orange_8361 (Orange Tsai) tweeted that they had\r\nreported a pre-authenticated remote code execution (RCE) chain to a vendor. Microsoft credited this user in the\r\nslew of CVEs released to address the vulnerabilities. These two dates give us a frame of reference for analysis, as\r\nthey mark the time from when Microsoft was notified to the first public disclosure of the attacks observed in the\r\nwild.\r\nLooking at the keys used overall in the China Chopper webshells, the list below provides a count of each unique\r\nvalue. Of note is a C# variant of this webshell that does not have a similar key, two variants that do not include a\r\nhttps://unit42.paloaltonetworks.com/china-chopper-webshell/\r\nPage 4 of 12\n\nwebshell at all but include a possible key and one that is a Base64 encoded string of non-ASCII bytes.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n29 NO9BxmCXw0JE\r\n11 Ananas\r\n8 klk123456\r\n7 orange\r\n6 No Key - f34fji34r209ur29ur92ru\r\n4 p\r\n4 gttkomomo\r\n2 No Key - dsfg\r\n1 rxDg52fHL9GW\r\n1 q3v98mBat1zj\r\n1 passnew\r\n1 o\r\n1 fpm_admin\r\n1 Q4IDLjknOZJr\r\n1 FhsrvqjnYASe\r\n1 EiH4yV2WGYgc\r\n1 No Key - C#\r\n1 3d55db3b2f88ae47b24ae7796f0cd916\r\nhttps://unit42.paloaltonetworks.com/china-chopper-webshell/\r\nPage 5 of 12\n\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\nAs noted, two “keys” did not contain a webshell at all, “ f34fji34r209ur29ur92ru ” and “ dsfg ”. Instead, we\r\nobserved an injection of a value, which appears similar in nature to a key, but is missing the actual webshell code\r\nrequired to carry out further code execution. An example can be seen below and compared to the webshell above.\r\nWhen looking at some of the temporal data points, specifically the DateModified time of the OAB files, you will\r\nsee that the usage of these “keys” predates all the other key usage by almost a full day. Since there is no webshell,\r\nthese may have been test runs. In fact, they show overlap with other keys that later compromise the same server\r\nwith full webshells.\r\nDateModified WebShellKey OriginatingServer\r\n2/27/2021 13:45:30 f34fji34r209ur29ur92ru NS1[...]net\r\n2/27/2021 16:20:49 f34fji34r209ur29ur92ru DC1[...]LOC\r\n2/27/2021 19:11:07 f34fji34r209ur29ur92ru FIT[...]cal\r\n2/28/2021 0:04:23 f34fji34r209ur29ur92ru V-T[...]com\r\n2/28/2021 1:41:07 f34fji34r209ur29ur92ru DC-[...]net\r\n2/28/2021 3:51:56 f34fji34r209ur29ur92ru MBD[...]org\r\n2/28/2021 10:15:00 NO9BxmCXw0JE DC[...]net\r\n2/28/2021 10:33:14 NO9BxmCXw0JE FIT[...]cal\r\nhttps://unit42.paloaltonetworks.com/china-chopper-webshell/\r\nPage 6 of 12\n\n2/28/2021 10:36:44 orange JTA[...]cal\r\nThe NO9* key from above is the most prevalent thus far, judging by what’s currently available on VT. It has also\r\nbeen displayed in most of the research that has come out on this topic. This key shares a pattern with five other\r\nkeys in the list. These are considered related due to their timing and unique usage of an exactly 12-character\r\nrandomized alphanumeric string with mixed capitalization.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\nNO9BxmCXw0JE\r\nrxDg52fHL9GW\r\nq3v98mBat1zj\r\nQ4IDLjknOZJr\r\nFhsrvqjnYASe\r\nEiH4yV2WGYgc\r\nWithin this grouping, only the NO9* and EiH* keys were observed in the OAB files with dates prior to the March\r\n2 Volexity blog. It is also interesting to observe the clustering of dates and times when these unique OAB files\r\ndocumented their modification times, as highlighted in the table below.\r\nDateModified WebShellKey OriginatingServer\r\n2/28/2021 10:15:00 NO9BxmCXw0JE DC-[...]net\r\n2/28/2021 10:33:14 NO9BxmCXw0JE FIT[...]cal\r\n2/28/2021 10:44:24 NO9BxmCXw0JE NS1[...]net\r\n2/28/2021 11:01:52 NO9BxmCXw0JE DC2[...]LOC\r\n2/28/2021 11:03:12 EiH4yV2WGYgc DFC[...]com\r\n2/28/2021 12:44:40 NO9BxmCXw0JE WP-[...]cal\r\nhttps://unit42.paloaltonetworks.com/china-chopper-webshell/\r\nPage 7 of 12\n\n2/28/2021 16:46:21 NO9BxmCXw0JE tcs[...]cal\r\n3/1/2021 6:29:17 NO9BxmCXw0JE mar[...]cal\r\n3/1/2021 7:40:44 NO9BxmCXw0JE cow[...]cal\r\n3/1/2021 12:01:14 NO9BxmCXw0JE MM1[...]pvt\r\n3/1/2021 12:16:38 NO9BxmCXw0JE NCR[...]cal\r\n3/1/2021 13:46:04 NO9BxmCXw0JE a-p[...]com\r\n3/1/2021 3:39:49 PM NO9BxmCXw0JE grr[...]cal\r\n3/1/2021 16:25:57 NO9BxmCXw0JE DC2[...]LOC\r\n3/1/2021 16:42:10 NO9BxmCXw0JE VCC[...]org\r\n3/1/2021 19:28:28 NO9BxmCXw0JE NS1[...]net\r\n3/1/2021 21:32:42 NO9BxmCXw0JE DC0[...]cal\r\n3/1/2021 21:53:34 NO9BxmCXw0JE thi[...]cal\r\nOn Feb. 28, 2021, and March 1, 2021, there are two distinct clusters of events – before public news about the\r\nvulnerabilities is released. Looking at the UTC timing of the events shows some compromises happening just\r\nminutes apart using both the NO9* and EiH* keys, further corroborating their relation to each other. The timing is\r\nalso noteworthy because it shows very rapid deployment of these webshells throughout the day and night,\r\nindicating an automated approach to targeting. As more samples appear, a better picture of the timeline will\r\nemerge.\r\nContinuing to dig down into the data points for the six keys, we can extrapolate the targets based on their\r\nOriginatingServer values and deduce a wide range of businesses from investment banking, small car dealerships,\r\nwater conservatories, industrial automation, law firms, hospitality and so on. The apparent randomness of targeted\r\nindustries supports the idea that this is automated scanning that took advantage of opportunistic targets versus a\r\ncoordinated effort to target specific industries or businesses.\r\nOne last piece of evidence in support of the idea of automated scanning: There are multiple OAB files with the\r\nsame configurations but different modification times, thus creating unique hashes. Looking at two servers from\r\nthe OriginatingServer data points, it can be noted below how they are compromised again at a later date with the\r\nexact same webshell and key, implying that systems the attackers have compromised already are not checked\r\nduring their scanning and exploitation process.\r\nDateModified WebShellKey OriginatingServer\r\n3/1/2021 21:32:42 NO9BxmCXw0JE DC0[...]cal\r\n3/2/2021 16:57:12 NO9BxmCXw0JE DC0[...]cal\r\nhttps://unit42.paloaltonetworks.com/china-chopper-webshell/\r\nPage 8 of 12\n\n2/28/2021 11:01:52 NO9BxmCXw0JE DC2[...]LOC\r\n3/1/2021 16:25:57 NO9BxmCXw0JE DC2[...]LOC\r\nPivoting to the keys, which did not match the previously discussed pattern, we can see they start compromising\r\nthe same servers as the other group of keys – but only after all of the research, CVEs, and proofs-of-concept\r\n(PoCs) started to pop up, leading us to believe these are different clusters of actors behind the attacks.\r\nDateModified WebShellKey OriginatingServer\r\n3/1/2021 6:29:17 NO9BxmCXw0JE mar[...]cal\r\n3/2/2021 7:03:15 NO9BxmCXw0JE mar[...]cal\r\n3/3/2021 15:19:46 Ananas mar[...]cal\r\n2/28/2021 10:44:24 NO9BxmCXw0JE NS1[...]net\r\n3/1/2021 19:28:28 NO9BxmCXw0JE NS1[...]net\r\n3/3/2021 6:46:16 Q4IDLjknOZJr NS1[...]net\r\n3/3/2021 6:52:08 klk123456 NS1[...]net\r\nBefore moving on to the next section, let’s turn our attention to three curious keys that were observed prior to the\r\nVolexity publication that do not match the pattern observed for the NO9* key but have very similar timing. This,\r\nalong with other data points, seems to indicate these were used as testing or non-automated manual attacks.\r\nThe first is the key “orange”. The first compromise observed with it in these publicly available OAB files is\r\nminutes before and after two surrounding compromises by the NO9* key on Feb. 28. This key also falls into the\r\ncluster of events on March 1, two hours before the previously discussed attacks.\r\n28FEB2021\r\nDateModified WebShellKey OriginatingServer\r\n2/28/2021 10:33:14 NO9BxmCXw0JE FIT[...]cal\r\n2/28/2021 10:36:44 orange JTA[...]cal\r\n2/28/2021 10:44:24 NO9BxmCXw0JE NS1[...]net\r\n01MAR2021\r\nDateModified WebShellKey OriginatingServer\r\n3/1/2021 4:25:25 orange Exc[...]CAL\r\nhttps://unit42.paloaltonetworks.com/china-chopper-webshell/\r\nPage 9 of 12\n\n3/1/2021 6:29:17 NO9BxmCXw0JE mar[...]cal\r\n3/1/2021 7:40:44 NO9BxmCXw0JE cow[...]cal\r\nThe second and third keys are simply “o” and “p”. Besides standing out due to their shortness, they also use a\r\ndifferent structure in their webshell and appear to have targeted a medical facility and something related to the\r\nVietnamese government, both prior to any publication about the vulnerabilities.\r\nThe Microsoft blog on HAFNIUM displays a webshell dropped by HAFNIUM that also uses a parameter value of\r\n“p”, although it is a different structure. A screenshot of the webshell displayed there is transcribed below, along\r\nwith an example of the one observed in an OAB file.\r\nNotable similarities exist in the Request.Form parameter value, “p”, and the usage of a single-letter character for\r\nthe other values; however, this in and of itself does not necessarily confirm a HAFNIUM connection.\r\nLooking at the “o” and “p” keys found in the OAB files, they can be seen targeting the same systems days apart.\r\nDateModified WebShellKey OriginatingServer\r\n2/28/2021 11:57:01 o ad2[...].vn\r\n3/3/2021 7:58:20 p ad2[...].vn\r\nFurthermore, we can observe compromises by the cluster of six patterned keys and “o” key happening fairly close\r\nin time to one another, alluding to a possible connection between them.\r\nDateModified WebShellKey OriginatingServer\r\n2/28/2021 11:03:12 AM EiH4yV2WGYgc DFC[...]com\r\n2/28/2021 11:57:01 AM o ad2[...].vn\r\n2/28/2021 12:44:40 PM NO9BxmCXw0JE WP-[...]cal\r\nTwo more keys stand out in terms of volume. Like the other keys that have been discussed, both “klk123456” and\r\n“Ananas” were observed in overlapping compromises, indicating automated scanning or using some type of list\r\nthat has already been correlated from a scanning service.\r\nDateModified WebShellKey OriginatingServer\r\n3/3/2021 4:34:20 klk123456 Bed[...]com\r\n3/3/2021 6:52:08 klk123456 NS1[...]net\r\nhttps://unit42.paloaltonetworks.com/china-chopper-webshell/\r\nPage 10 of 12\n\n3/3/2021 6:55:34 klk123456 Fil[...]cal\r\n3/3/2021 7:26:29 klk123456 mna[...]com\r\n3/3/2021 7:35:48 Ananas ric[...]org\r\n3/3/2021 7:45:40 Ananas ADA[...]cal\r\n3/3/2021 7:47:15 klk123456 PSL[...]cal\r\n3/3/2021 10:43:51 klk123456 CHG[...]SYS\r\n3/3/2021 11:02:09 klk123456 TRD[...]com\r\n3/3/2021 14:35:40 Ananas jus[...].nl\r\n3/3/2021 14:50:18 Ananas asi[...]com\r\n3/3/2021 14:51:13 Ananas Bed[...]com\r\n3/3/2021 15:19:46 Ananas mar[...]cal\r\n3/3/2021 16:16:21 Ananas V-T[...]com\r\n3/3/2021 16:40:03 Ananas FHM[...]org\r\nThese clusters of events are likely related to threat actors who were able to weaponize the public information\r\nextremely quickly and get a head start on attacking Exchange Servers before other actors could.\r\nAll the compromises with the other keys appear unrelated and occur after the patches, research and PoC code had\r\nbecome easily accessible.\r\nVariations in the China Chopper Webshell\r\nRecall the most prevalent China Chopper shell as observed in the OAB file.\r\nA Twitter user, @mickeyftnt, notified me that they found a variant using a different pattern from the “http://f/” that\r\nI had been watching stream into VT. This variant used “http://g/” and contained a space after the eval method call.\r\nMicrosoft states the ExternalUrl parameter “specifies the URL that’s used to connect to the virtual directory from\r\noutside the firewall,” so we can assume that, in a legitimate file, this is a resolvable domain but may require the\r\n“http” precursor to be accepted as a value for the injection to work. While this piece of the URL is moot and does\r\nnot affect the operation, the use of “http://f/” is observed across the board in almost every one of the attacks. As\r\nsuch, the “http://g/” variable piqued my interest as another likely artifact worth taking note of, even though no\r\nadditional patterns have been noticed outside what’s been discussed here already.\r\nhttps://unit42.paloaltonetworks.com/china-chopper-webshell/\r\nPage 11 of 12\n\nAnother Twitter user, @krausedw, brought some samples to my attention that included breaking up the “unsafe”\r\nword in an attempt to bypass certain security measures and a C# sample that calls out the script language\r\nexplicitly.\r\nJScript unsafe\r\nC#\r\nFinally, there are variants that use Base64 strings as the key.\r\nBase64\r\nConclusion\r\nBy leveraging the artifacts found within the OAB configurations, we are able to piece together a narrative around\r\nthe activity based on analysis from just a small set of samples. It seems clear that there are numerous clusters of\r\ngroups leveraging these vulnerabilities, the groups are using mass scanning or services that allow them to\r\nindependently target the same systems, and finally there are multiple variations of the code being dropped, which\r\nmay be indicative of iterations to the attack. As more information and files become available, this analysis may\r\nhave to be revisited, but for now, there are a sufficient number of connections that allow us to understand the how,\r\nthe when and the frequency of attacks, along with clustering of events.\r\nSource: https://unit42.paloaltonetworks.com/china-chopper-webshell/\r\nhttps://unit42.paloaltonetworks.com/china-chopper-webshell/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/china-chopper-webshell/"
	],
	"report_names": [
		"china-chopper-webshell"
	],
	"threat_actors": [],
	"ts_created_at": 1775791276,
	"ts_updated_at": 1775826766,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/25140d8a5430b0b35e506251815904979303bec5.pdf",
		"text": "https://archive.orkl.eu/25140d8a5430b0b35e506251815904979303bec5.txt",
		"img": "https://archive.orkl.eu/25140d8a5430b0b35e506251815904979303bec5.jpg"
	}
}