Lemurloot
LEMURLOOT is a custom web shell designed specifically for Progress MOVEit Transfer and deployed during the May 2023 mass exploitation of the MOVEit SQL injection vulnerability CVE-2023-34362. The activity is attributed to the CL0P extortion operation, also tracked as TA505, FIN11, and Snakefly. After exploitation of internet-facing MOVEit Transfer systems, attackers installed LEMURLOOT—often masquerading as legitimate MOVEit files such as human.aspx, with observed filenames including human2.aspx, _human2.aspx, and human2.aspx.lnk—to enable rapid data theft, in some cases within minutes of deployment.
The malware is described as a C# / ASP.NET web shell tailored to execute on MOVEit Transfer servers. It authenticates incoming HTTPS requests using a password supplied in the X-siLock-Comment HTTP header; reporting indicates this was either a hard-coded password or a sample-specific 36-character GUID-formatted value. If the expected header is absent or incorrect, it returns HTTP 404, and on successful authentication it may respond with X-siLock-Comment: comment. It parses operator commands from HTTP headers including X-siLock-Step1, X-siLock-Step2, and X-siLock-Step3.
Reported capabilities include downloading files from the MOVEit Transfer database, enumerating files and folders, retrieving records, extracting configuration and Azure Blob storage settings and credentials from MOVEit application settings, and returning stolen data gzip-compressed or in comfile format. LEMURLOOT can also manipulate users in the underlying MOVEit environment, including creating, inserting, or deleting a user; multiple reports note use of an account with LoginName and RealName set to "Health Check Service," including creation of a new administrator account with randomly generated credentials. The web shell connects to the SQL server using MOVEit configuration settings and was used to steal data from underlying MOVEit databases and potentially Azure-hosted storage associated with MOVEit.
The malware was observed on internet-facing MOVEit Transfer web applications across multiple sectors and geographies, including victims in the United States, Canada, and India, with additional evidence suggesting impact in Italy, Pakistan, and Germany. Public reporting links the broader campaign to high-value organizations globally, including government, banking, and other enterprises, as part of CL0P’s data-theft-and-extortion operations. High-confidence indicators and behaviors mentioned in the content include the X-siLock-Comment, X-siLock-Step1, X-siLock-Step2, and X-siLock-Step3 headers; masquerading filenames such as human2.aspx; association with requests to guestaccess.aspx and /moveitisapi/moveitisapi.dll during exploitation; and detection naming including JS.Malscript!g1.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The original vulnerability (CVE-2023-34362) was patched on May 31... Prior to its patching, attackers linked to the Clop ransomware operation were already exploiting CVE-2023-34362 as a zero-day vulnerability. Proof-of-concept code for the exploit is now publicly available... | According to a joint advisory issued by the U.S. Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA), the attackers exploited the vulnerability to install a web shell called Lemurloot (JS.Malscript!g1) on affected systems. This was then used to steal data from underlying databases.
Groups observed using it
5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
In May 2023, a widespread SQL injection attack targeted MOVEit, a widely used file-transfer service. The attacks, attributed to the Russian-speaking cybercrime group Clop, compromised multiple global organizations... Attackers exploited a critical vulnerability, installing a custom webshell called "LemurLoot" to rapidly access and exfiltrate large volumes of data.
According to a joint advisory issued by the U.S. Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA), the attackers exploited the vulnerability to install a web shell called Lemurloot (JS.Malscript!g1) on affected systems. This was then used to steal data from underlying databases.
According to a joint advisory issued by the U.S. Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA), the attackers exploited the vulnerability to install a web shell called Lemurloot (JS.Malscript!g1) on affected systems. This was then used to steal data from underlying databases.
Attackers have exploited the SQLi vulnerability to deploy a custom ASP.NET web shell (LEMURLOOT) to achieve persistence on victim networks to allow for further attack.
Following exploitation of the vulnerability, the threat actors are deploying a newly discovered LEMURLOOT web shell with filenames that masquerade as human.aspx... LEMURLOOT provides functionality tailored to execute on a system running MOVEit Transfer software...
Techniques & procedures
14 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniquesLemurloot was designed specifically to target the MOVEit Transfer platform... and can create, insert, or delete a particular user.
SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).
"The nature of the software affected means that attackers can exploit unpatched systems to mount a supply chain attack against multiple organizations."
Persistence
4 techniquesLemurloot was designed specifically to target the MOVEit Transfer platform... and can create, insert, or delete a particular user.
"...otherwise it creates a new account with a randomly generated username and with LoginName and RealName values set to 'Health Check Service' This account is inserted it into an active MOVEit application session."
Attackers exploited a critical vulnerability, installing a custom webshell called "LemurLoot" to rapidly access and exfiltrate large volumes of data.
Privilege Escalation
2 techniquesStealth
2 techniquesThe webshell is disguised with filenames such as “human2.aspx” and “human2.aspx.lnk” in an attempt to masquerade as human.aspx, a legitimate component of the MOVEit Transfer service.
Credential Access
2 techniques"It authenticates incoming HTTPS requests via a hard-coded password"
"LEMURLOOT can also steal Azure Storage Blob information, including credentials, from the MOVEit Transfer application settings... including the configured Azure Blog storage account, and its associated key and container."
Discovery
1 techniqueCollection
2 techniquesSQL injection attacks allow attackers to ... allow the complete disclosure of all data on the system...
LEMURLOOT can also steal Azure Storage Blob information, including credentials, from the MOVEit Transfer application settings, suggesting that actors exploiting this vulnerability may be stealing files from Azure in cases where victims are storing appliance data in Azure Blob storage.
Command and Control
1 technique"It authenticates incoming HTTPS requests via a hard-coded password; runs commands that will download files from the MOVEit Transfer database..."
Exfiltration
1 techniqueWhen responding to a request, Lemurloot returns stolen data in a comfile format.
IOCs tracked for this family
110 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A web shell designed specifically to target the MOVEit Transfer platform. It authenticates incoming HTTPS requests via a hard-coded password, downloads files from the MOVEit Transfer database, extracts Azure system settings, retrieves records, and can create, insert, or delete a particular user. It returns stolen data in a comfile format.
Custom ASP.NET web shell deployed after exploiting MOVEit Transfer/Cloud (CVE-2023-34362) to provide persistent access on compromised servers; observed as an .aspx web shell (e.g., 'human2.aspx') with password control via a custom HTTP header.
A custom webshell used in the MOVEit exploitation spree to steal data from victims’ MOVEit Transfer systems. It can also steal Azure Storage Blob information, including credentials, from MOVEit Transfer application settings, and was disguised with filenames such as "human2.aspx" and "human2.aspx.lnk" to resemble a legitimate component.
A custom webshell installed during the 2023 MOVEit exploitation campaign to enable rapid access and large-scale data exfiltration.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.