Skip to main content
Mallory
Back to malware
MalwareUsed by 7 actorsExploits 2 CVEs

AntSword

AntSword is an open-source Chinese web shell and web shell management framework used to manage compromised web servers. The content describes it as freely available on GitHub and notably similar to the China Chopper web shell. It has been used to gain and maintain control of target servers, provide backdoor access, execute commands through a virtual terminal, support persistence, and facilitate lateral movement to additional hosts and SQL servers.

Observed infection and deployment vectors in the content include exploitation of internet-exposed or misconfigured web applications and servers. Reported examples include abuse of an exposed phpMyAdmin interface, where attackers executed SQL commands and used MariaDB general query logging to create a PHP web shell later managed through AntSword, exploitation of vulnerable web servers, exploitation of Microsoft SharePoint CVE-2019-0604 to deploy an AntSword web shell variant, and attacks exploiting SharePoint flaws CVE-2025-49706 and CVE-2025-53770 to deploy web shells including ANTSWORD.

The content associates AntSword with multiple China-linked intrusion sets and campaigns. Huntress reported attackers using AntSword in a campaign that weaponized the Nezha monitoring tool and later deployed Ghost RAT, affecting more than 100 machines, primarily in Taiwan, Japan, South Korea, and Hong Kong. Unit 42 reported Chinese threat cluster CL-UNK-1068 used a variation of AntSword alongside GodZilla in long-running intrusions targeting aviation, energy, government, law enforcement, pharmaceutical, technology, and telecommunications organizations across South, Southeast, and East Asia; in those cases, the web shells were used for initial access, lateral movement, and theft of browser history, XLSX/CSV files, and database backups. AntSword is also cited in APT41 DUST activity for persistence, alongside BLUEBEAM, DUSTPAN, and BEACON, and in reporting on APT15 as one of several web shells used for backdoor access.

High-confidence behaviors and related details mentioned in the content include command execution via AntSword’s virtual terminal, use as a web shell for persistence and server control, and use in conjunction with other malware and tools such as Nezha, Ghost RAT, GodZilla, BLUEBEAM, DUSTPAN, BEACON, SQLULDR2, and PINEGROVE. Specific indicators directly mentioned include an AntSword web shell variant deployed as bitreeview.aspx in a SharePoint compromise, SHA256 15ecb6ac6c637b58b2114e6b21b5b18b0c9f5341ee74b428b70e17e64b7da55e, and a sample that executed Base64-decoded content from the HTTP POST parameter named Darr1R1ng via JScript eval.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

2 CVES
CVE-2019-0604Microsoft SharePoint Remote Code Execution VulnerabilityExploited in the wild

Observed unknown threat actors exploiting a vulnerability in SharePoint described in CVE-2019-0604 to install several webshells on the website of a Middle East government organization... publicly available exploit code suggests that CVE-2019-0604 is still a major attack vector. | "One of these webshells is the open source AntSword webshell freely available on Github, which is remarkably similar to the infamous China Chopper webshell."

via palo alto networks unit 42 blogunit42.paloaltonetworks.com
CVE-2026-1731Pre-auth OS Command Injection RCE in BeyondTrust Remote Support and PRA

"...a signature trait of C2 tools like China Chopper or AntSword."

via palo alto networks unit 42 blogunit42.paloaltonetworks.com
THREAT ACTORS

Groups observed using it

7 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
suspected_chinese_threat_actors

Initial access facilitated by an internet-exposed phpMyAdmin panel enabled attackers to access the server SQL query interface and execute multiple SQL commands, resulting in the deployment of the ANTSWORD web shell.

via scworldscworld.com
china_nexus_apt

Huntress said Nezha was used in tandem with other families of malware and web shell management tools, such as Ghost RAT and AntSword. One of the first clues leading them to attribute the incident to Chinese actors was that, upon accessing the administrative interface of the compromised system, the hacker set the language to simplified Chinese. Minton added that even though Huntress stopped short of formally attributing the campaign to a specific Chinese threat actor, the use of Ghost RAT and AntSword was a clue because they both have been used before in activity publicly attributed to Chinese APT groups.

via the record mediatherecord.media
China-linked hackers (suspected)

Huntress reported attackers “gaining control of target servers via the AntSword web shell.”

via bank info securitybankinfosecurity.com
China-affiliated hackers

"...moved to issue commands via AntSword’s virtual terminal. AntSword is an open-source Chinese web shell management framework... to manage compromised web servers."

via cso onlinecsoonline.com
Threat Group-3390

"One of these webshells is the open source AntSword webshell freely available on Github, which is remarkably similar to the infamous China Chopper webshell."

via palo alto networks unit 42 blogunit42.paloaltonetworks.com
Ke3chang

Web shells – AntSword, Behinder, China Chopper, Godzilla , giving the hackers backdoor access to the breached systems.

via bleeping computerbleepingcomputer.com
CL-UNK-1068

We observed the attackers deploying the GodZilla web shell, and a variation of AntSword

via ctoatncsc substackctoatncsc.substack.com
MITRE ATT&CK

Techniques & procedures

6 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1190Exploit Public-Facing ApplicationEvidence3
TacticInitial Access

"Misconfigured web servers have been exploited by CL-UNK-1068 to distribute the Godzilla and ANTSWORD webshells..."

Persistence

1 technique
T1505.003Web ShellEvidence7
TacticPersistence

The activity ... is characterized by the use of an unusual technique called log poisoning (aka log injection) to plant a web shell on a web server.

Discovery

1 technique
T1033System Owner/User DiscoveryEvidence1
TacticDiscovery

The access afforded by the ANTSWORD web shell is then used to run the "whoami" command to determine the privileges of the web server

Command and Control

3 techniques
T1071.001Web ProtocolsEvidence1
TacticCommand and Control

"aggregates all incoming HTTP data sources (POST, GET and Cookie) to locate... 'ASS'... Base64-decodes... executes... echoing of DQo= ... delimiter"

T1105Ingress Tool TransferEvidence1
TacticCommand and Control

The access afforded by the ANTSWORD web shell is then used to run the "whoami" command to determine the privileges of the web server and deliver the open-source Nezha agent

T1219Remote Access ToolsEvidence1
TacticCommand and Control

The access afforded by the ANTSWORD web shell is then used to run the "whoami" command to determine the privileges of the web server and deliver the open-source Nezha agent, which can be used to remotely commandeer an infected host by connecting to an external server

ACTIVITY FEED

Recent activity

16 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

16 SOURCESView more in app
ctoatncsc substackNews
Mar 14, 2026
CTO at NCSC Summary: week ending March 15th

A web shell used by the Chinese threat cluster CL-UNK-1068 after initial compromise to move laterally to additional hosts and SQL servers.

Read more
scworldNews
Mar 10, 2026
Asian critical infrastructure subjected to clandestine Chinese hacking campaign | brief | SC Media

Webshell used to maintain access and conduct post-exploitation actions such as lateral movement and data theft/exfiltration.

Read more
the hacker newsNews
Mar 9, 2026
Web Server Exploits and Mimikatz Used in Attacks Targeting Asian Critical Infrastructure

Web shell used for command execution and persistence on compromised web servers.

Read more
dark readingNews
Mar 9, 2026
Chinese Cyber Threat Lurks In Critical Asian Sectors for Years

A web shell management tool used to control web shells on compromised servers and support post-exploitation operations.

Read more
+12 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution7

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities2

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping6

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.