{
	"id": "ae44f813-f906-4d5d-bd0e-7bb73d1937af",
	"created_at": "2026-04-06T00:12:02.359845Z",
	"updated_at": "2026-04-10T03:22:39.45307Z",
	"deleted_at": null,
	"sha1_hash": "9c27486beacf98949307ffe40b6a3e65d146b0ea",
	"title": "A Tale of Two Shells",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2367650,
	"plain_text": "A Tale of Two Shells\r\nPublished: 2022-02-18 · Archived: 2026-04-05 18:43:16 UTC\r\nAlthough not utilized in attacks for initial access, web shells remain a go-to for all sorts of attackers, from cyber\r\ncriminals to APT’s when it comes to post-exploitation.\r\nThe server-side component of a web shell can be as short as one line of code, commonly in PHP. The China\r\nChopper web shell has long been utilized post exploit to blend in network traffic, providing the attacker full\r\ncommand prompt access to move around the network.\r\nNot knowing much about web shells or their functions, I decided to dig into a few possibly lesser-known web\r\nshells that may well overtake China Chopper someday in popularity.\r\nEach program discussed in this post was downloaded and run in my home lab against a Windows Server 2019\r\nrunning an IIS server.\r\nIn no particular order, the web shells discussed below:\r\nRebeyond Behinder Web Shell v3.0.11\r\nrebeyond-Mode v.3.2.7\r\nRecent Sightings\r\nRecently, Avast identified an unknown threat actor uploaded the Behinder Web Shell (discussed more below) in an\r\nintrusion against computer systems belonging to the National Games of China.\r\nMandiant and Palo Alto’s Unit42 have also reported on Behinder and Godzilla web shells deployed upon initial\r\naccess in high-profile intrusions such as SonicWall, and ProxyShell.\r\nRebeyond Behinder Web Shell\r\nAlso referred to as Ice Scorpion, Behinder is publicly available and maintained by GitHub user rebeyond.\r\nBehinder is compatible with Windows, Linux, and MacOS operating systems.\r\nUpon running the shell, a similar client is opened with a few options to get started. Figure 1 shows the Behinder\r\nGUI with a successfully connected web shell listed.\r\nhttps://cyberandramen.net/2022/02/18/a-tale-of-two-shells/\r\nPage 1 of 11\n\nFigure 1: Behinder GUI with one successful victim connection\r\nWritten in Java, the above client comes in a JAR file alongside multiple shells written in JSP, C#, PHP, ASP, and\r\nASPX.\r\nFigure 2: PHP shell, Behinder (left), Avast GitHub (right)\r\nIn Avast’s reporting, the attackers utilized the default PHP web shell in their attack. Figure 2 compares both the\r\nBehinder PHP shell (left) and the PHP shell provided by Avast (right).\r\nBehinder utilizes a hardcoded key for encrypted communications, consisting of the first 16 characters of the MD5\r\nhash of the word rebeyond.\r\nThe key can be changed as needed before deploying the shell, but as seen above sometimes the default settings are\r\ngood enough.\r\nCapabilities\r\nOnce the shell is connected, a second window opens providng the attacker with a range of commands and plugins.\r\nBehinder provides:\r\nvirtual terminal for command execution\r\nhttps://cyberandramen.net/2022/02/18/a-tale-of-two-shells/\r\nPage 2 of 11\n\nfile manger (upload/download and deletion)\r\ncustom shells for additional persistence\r\nsupport for Meterpeter and Cobalt Strike\r\nin-memory web shell injection\r\nFigure 3: Basic PHP Info\r\nhttps://cyberandramen.net/2022/02/18/a-tale-of-two-shells/\r\nPage 3 of 11\n\nFigure 4: Support for Meterpreter \u0026 Cobalt Strike\r\nhttps://cyberandramen.net/2022/02/18/a-tale-of-two-shells/\r\nPage 4 of 11\n\nFigure 5: File Manager\r\nThe Code Behind The Shell\r\nI could spend this whole post on the capabilities and options present in the GUI, but that isn’t much fun or\r\ninformative.\r\nWhat caught my eye was the in-memory web shell referred to as MemShell (Figure 6), as well as an exciting\r\nvariable seen throughout the code named “antiAgent.”\r\nFigure 6: MemShell injection window\r\nhttps://cyberandramen.net/2022/02/18/a-tale-of-two-shells/\r\nPage 5 of 11\n\nStarting from the title of the window in Figure 6, the MemShell option translates (thanks to Google Translate) to\r\n“Inject Memory Horse”.\r\nWorking down the window, the options are as follows:\r\ninjection type\r\ninjection path\r\nAnti-detection\r\nThis memory horse injection method was added to Behinder in an April 2021 update.\r\nThe red text warns the attacker that utilizing anti-detection will require a container restart before attempting\r\ninjection again (if there is a more precise translation of the above, please reach out).\r\nFigure 7: Shellcode and in memory functions\r\nThe try block in Figure 7 implements MemShell utilizing similar classes and methods to those identified for the\r\nstandard Behinder component. The multiple calls to java.lang.reflect allow the code to obtain classes in memory\r\nthat would otherwise not be available.\r\nFigure 8: Inject MemShell and antiAgent\r\nhttps://cyberandramen.net/2022/02/18/a-tale-of-two-shells/\r\nPage 6 of 11\n\nFigure 9: More antiAgent\r\nOther than the above two images, we do not see the antiAgent parameter utilized until (Figure 9).\r\nFigure 10: doAgentShell method\r\nStarting at line 741, the code loops through operating systems and versions, and if it is deemed the target is a\r\nLinux system and the antiAgent option is set, the file /tmp/.jav_pid[CurrentPID] is deleted.\r\nRunning the web shell on a *nix system results in error. The Java error is a known issue that has been open since\r\nJune 2021. The anti-detection feature was first introduced in version 2 and may represent dead code the developer\r\nforgot to remove.\r\nNetwork Traffic\r\nCapturing the network traffic in my home lab enables a unique view of typical Behinder traffic, albeit from a\r\nmuch less noisy environment.\r\nThe encoded text seen in Figure 12 consists of the base64 encoded and AES encrypted (with the key “rebeyond”).\r\nFigure 11: Packet capture of POST requests over port 80\r\nhttps://cyberandramen.net/2022/02/18/a-tale-of-two-shells/\r\nPage 7 of 11\n\nFigure 12: Behinder HTTP POST request with encoded data in HTTP body\r\nFigure 13: Response from target\r\nRebeyond-Mode\r\nRebeyond-Mode, or “Modified Rebeyond” is precisely what the title states. Actively maintained by GitHub user\r\nangels520, much of this modified web shell is an exact copy of the Behinder web shell, offering a few bells and\r\nwhistles.\r\nhttps://cyberandramen.net/2022/02/18/a-tale-of-two-shells/\r\nPage 8 of 11\n\nFigure 14: rebeyond-Mode GitHub page\r\nAs you can see from Figure 14, except for some highlighting, the client GUI looks very similar to Behinder. The\r\nserver-side payloads are also the same, even using the rebeyond hardcoded key.\r\nUnlike Behinder, rebeyond-Mode provides the attacker with options to add a default page referred to as a profile if\r\na defender or anyone else were to navigate to the web shell (Figure 15).\r\nAdditional obfuscation of the commands can also be toggled between True and False.\r\nhttps://cyberandramen.net/2022/02/18/a-tale-of-two-shells/\r\nPage 9 of 11\n\nFigure 15: rebeyond-Mode’s default profiles\r\nFigure 16: Default GitHub profile\r\nYou may have missed it in Figure 16, but near the middle left of the page, is the text “##payload##”.\r\nrebeyond-Mode also offers the MemShell option for JSP and ASPX, however I did not test the functionality.\r\nPacket captures for rebeyond-Mode were purposefully left out as the network traffic is very similar to Behinder.\r\nhttps://cyberandramen.net/2022/02/18/a-tale-of-two-shells/\r\nPage 10 of 11\n\nConclusion\r\nBoth Behinder and rebeyond-Mode may not be as famous as China Chopper, TwoFace, or Godzilla; however,\r\ntheir frequent updates to extend functionality could soon see them surpassing the aforementioned post-exploitation\r\ntools.\r\nIf you made it this far, thank you for reading. I hope to create a part two of this article identifying possible\r\ndetection ideas for both Behinder and rebeyond-Mode.\r\nReferences\r\n[1] https://github.com/rebeyond/Behinder\r\n[2] https://github.com/angels520/rebeyond-Mode\r\n[3] https://decoded.avast.io/janneduchal/analysis-of-attack-against-national-games-of-china-systems/\r\n[4] https://www.mandiant.com/resources/zero-day-exploits-in-sonicwall-email-security-lead-to-compromise\r\n[5] https://www.cyber.gov.au/sites/default/files/2020-12/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf\r\n[6] https://www.sangfor.com/en/info-center/blog-center/cyber-security/Behinder-v3-0-Analysis\r\nSource: https://cyberandramen.net/2022/02/18/a-tale-of-two-shells/\r\nhttps://cyberandramen.net/2022/02/18/a-tale-of-two-shells/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://cyberandramen.net/2022/02/18/a-tale-of-two-shells/"
	],
	"report_names": [
		"a-tale-of-two-shells"
	],
	"threat_actors": [
		{
			"id": "08c8f238-1df5-4e75-b4d8-276ebead502d",
			"created_at": "2023-01-06T13:46:39.344081Z",
			"updated_at": "2026-04-10T02:00:03.294222Z",
			"deleted_at": null,
			"main_name": "Copy-Paste",
			"aliases": [],
			"source_name": "MISPGALAXY:Copy-Paste",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434322,
	"ts_updated_at": 1775791359,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9c27486beacf98949307ffe40b6a3e65d146b0ea.pdf",
		"text": "https://archive.orkl.eu/9c27486beacf98949307ffe40b6a3e65d146b0ea.txt",
		"img": "https://archive.orkl.eu/9c27486beacf98949307ffe40b6a3e65d146b0ea.jpg"
	}
}