Skip to main content
Mallory
Back to malware
MalwareUsed by 5 actorsExploits 7 CVEs

BEHINDER

Behinder is a publicly available web shell, commonly referenced as a JSP web shell, that provides remote backdoor access to compromised servers and allows operators to execute commands on those systems. Reporting in the provided content shows it being deployed after exploitation of internet-facing applications, including Atlassian Confluence and Cisco Catalyst SD-WAN Manager/Controller environments, and used for persistent access alongside other web shells such as Godzilla, neo-reGeorg, China Chopper, AntSword, and XenShell. In one Cisco Talos-tracked cluster active since at least March 10, 2026, a modified Behinder variant was deployed as "conf.jsp" and used Base64 encoding instead of the AES encryption commonly seen in other variants; another cluster deployed a Behinder variant as "sysinit.jsp." In Volexity’s analysis of CVE-2022-26134 exploitation against Confluence, attackers installed BEHINDER on compromised servers, then used it to deploy China Chopper and a file-upload tool, dump Confluence user tables, write additional web shells, and alter access logs. The content also associates Behinder with multiple China-nexus or Asia-based intrusion sets and campaigns, including APT15, UNC5174/Houken, and TGR-STA-1030/UNC6619, as well as broader activity assessed as aligned with Chinese tooling and operator working hours. Observed targets and victim sectors in campaigns where Behinder was used include government, critical infrastructure, telecommunications, media, finance, transport, education, and foreign affairs organizations. Detection names mentioned in the content include FireEye signatures such as FE_Webshell_JSP_BEHINDER_1, Webshell.JSP.BEHINDER, and Webshell.JSP.BEHINDER.MVX. Specific infrastructure and filenames directly tied to observed Behinder deployments in the content include 71.80.85[.]135 with conf.jsp and 212.83.162[.]37 with sysinit.jsp.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

7 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

7 CVES
CVE-2026-20128Cisco Catalyst SD-WAN Manager DCA Credential Disclosure / Recoverable Password StorageExploited in the wild

Following their exploitation, the threat actor deployed a variant of the Behinder webshell under the filename “conf.jsp”.

via talos intelligence blogblog.talosintelligence.com
CVE-2026-20122Arbitrary File Overwrite in Cisco Catalyst SD-WAN Manager APIExploited in the wild

Following their exploitation, the threat actor deployed a variant of the Behinder webshell under the filename “conf.jsp”.

via talos intelligence blogblog.talosintelligence.com
CVE-2026-20133Cisco Catalyst SD-WAN Manager Sensitive Information DisclosureExploited in the wild

Following their exploitation, the threat actor deployed a variant of the Behinder webshell under the filename “conf.jsp”.

via talos intelligence blogblog.talosintelligence.com
CVE-2022-26134Atlassian Confluence Server and Data Center OGNL Injection RCEExploited in the wild

In the breach analyzed by Volexity, threat actors installed BEHINDER, a JSP web shell that allows threat actors to execute commands on the compromised server remotely.

via bleeping computerbleepingcomputer.com
CVE-2021-20023Arbitrary File Read in SonicWall Email Security 10.0.9.x

Mandiant disclosed the vulnerability CVE-2021-20023 to SonicWall PSIRT on April 6, 2021... a patch became available April 19. To mitigate the three CVEs, Mandiant and SonicWall recommend upgrading Email Security to version 10.0.9.6173 (Windows) or 10.0.9.6177 (Hardware & ESXi Virtual Appliances).

via mandiant threat intelligencecloud.google.com
CVE-2021-20021Administrative Account Creation in SonicWall Email Security 10.0.9.x

Mandiant disclosed the vulnerabilities CVE-2021-20021 and CVE-2021-20022 to SonicWall PSIRT on March 26, 2021... a hotfix became available on April 9, 2021... To mitigate the three CVEs, Mandiant and SonicWall recommend upgrading Email Security to version 10.0.9.6173 (Windows) or 10.0.9.6177 (Hardware & ESXi Virtual Appliances).

via mandiant threat intelligencecloud.google.com
CVE-2021-20022Arbitrary File Upload in SonicWall Email Security 10.0.9.x

SonicWall has deployed Intrusion Prevention System (IPS) signatures... IPS Signature : 15520 WEB-ATTACKS SonicWall Email Security (CVE-2021-20022 Vulnerability) ... Mandiant disclosed the vulnerabilities CVE-2021-20021 and CVE-2021-20022... a hotfix became available on April 9, 2021.

via mandiant threat intelligencecloud.google.com
THREAT ACTORS

Groups observed using it

5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
UNC3569

Webshells • BEHINDER (available on GitHub)

via virusbulletinvirusbulletin.com
UNC5174

Use of Chinese-documented tooling (e.g., Behinder, VShell), and operational activity aligned with China Standard Time (UTC+8).

via wiz cloud threatsthreats.wiz.io
Ke3chang

Web shells – AntSword, Behinder, China Chopper, Godzilla , giving the hackers backdoor access to the breached systems.

via bleeping computerbleepingcomputer.com
TGR-STA-1030

"...includes webshells such as Behinder, Godzilla, and Neo-reGeorg..."

via bleeping computerbleepingcomputer.com
UNC2682

FireEye Malware File Scanning ... FE_Webshell_JSP_BEHINDER_1 ... Webshell.JSP.BEHINDER ... Webshell.JSP.BEHINDER.MVX

via mandiant threat intelligencecloud.google.com
MITRE ATT&CK

Techniques & procedures

7 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1190Exploit Public-Facing ApplicationEvidence2
TacticInitial Access

These clusters have been exploiting the CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 chain since early March 2026, following the publication of proof-of-concept code by ZeroZenX Labs.

Execution

2 techniques
T1059Command and Scripting InterpreterEvidence2
TacticExecution

The tools deployed by these clusters range from webshells (Godzilla, Behinder, XenShell) and red team frameworks (AdaptixC2, Sliver) to cryptocurrency miners (XMRig) and credential stealers targeting admin hashes, JWT tokens and AWS credentials.

T1059.004Unix ShellEvidence2
TacticExecution

The activity has been found to leverage publicly available proof-of-concept exploit code to deploy web shells on hacked systems, allowing the operators to run arbitrary bash commands.

Persistence

1 technique
T1505.003Web ShellEvidence8
TacticPersistence

After successfully opening a connection to the portal server, the actor tries to install Cobalt Strike and webshells on that server.

Stealth

1 technique
T1070Indicator RemovalEvidence1
TacticStealth

"...and altered access logs to evade detection."

Lateral Movement

1 technique
T1210Exploitation of Remote ServicesEvidence1
TacticLateral Movement

Talos is also aware of the widespread in-the-wild active exploitation of three vulnerabilities in unpatched Cisco Catalyst SD-WAN Manager infrastructure (CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122) that, when chained together, can allow a remote unauthenticated attacker to gain access to the device.

Collection

1 technique
T1213Data from Information RepositoriesEvidence1
TacticCollection

"...the threat actors dumped the user tables of the Confluence server..."

INDICATORS OF COMPROMISE

IOCs tracked for this family

2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
2 tracked

IPs, domains, and DNS infrastructure linked to this family.

TypeValueLatest sighting
ip.v4●●●●●●●●●●●●View more in app17 days ago
ip.v4●●●●●●●●●●●●View more in app17 days ago
ACTIVITY FEED

Recent activity

14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

14 SOURCESView more in app
the hacker newsNews
May 15, 2026
CISA Adds Cisco SD-WAN CVE-2026-20182 to KEV After Admin Access Exploits

A web shell deployed by multiple clusters on hacked Cisco SD-WAN systems.

Read more
tenable blogNews
May 15, 2026
CVE-2026-20182: Cisco SD-WAN Active Exploitation | Tenable®

A webshell used by threat clusters after exploiting Cisco SD-WAN vulnerabilities.

Read more
talos intelligence blogNews
May 14, 2026
Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities

A JSP webshell used after exploitation of Cisco SD-WAN vulnerabilities; one observed variant was modified to use only Base64 encoding instead of the AES encryption commonly seen in other variants.

Read more
the hacker newsNews
Feb 16, 2026
Weekly Recap: Outlook Add-Ins Hijack, 0-Day Patches, Wormable Botnet & AI Malware

Post-exploitation tool/webshell referenced as commonly used by China-nexus intrusion activity.

Read more
+9 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching2

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution5

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities7

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping7

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.