ASPXSpy
ASPXSpy is an ASPX web shell, also referred to as ASPXTool in some reporting, that has been deployed on accessible Microsoft IIS servers and other public-facing web infrastructure after server compromise. It is used to provide follow-on command execution, including via cmd.exe, and has been observed alongside other web shells such as China Chopper, ANTAK, reGeorg, devilzshell, and Caterpillar.
The content associates ASPXSpy with multiple threat actors and intrusion sets. Lebanese Cedar deployed ASPXSpy after compromising victim web servers through n-day vulnerabilities. Agrius used ASPXSpy web shells, including unique and base64-encoded variants, after exploiting public-facing applications; in some cases the actors hid ASPXSPY inside files labeled as "Certificate" text files. Agrius used it for command execution, tunneling RDP through deployed web shells, and as part of broader intrusions involving reconnaissance, lateral movement, credential theft, data staging, exfiltration, and subsequent wiping activity. APT39 used ASPXSpy and ANTAK after exploiting vulnerable web servers and also used stolen credentials against OWA. BRONZE UNION used a variant of ASPXSpy together with tools such as Sysupdate, PlugX, HttpBrowser, China Chopper, and OwaAuth. Threat Group-3390 used the ASPXTool version on IIS servers. HAFNIUM and Gelsemium-linked activity also included ASPXSpy web shells.
Observed infection vectors and deployment contexts in the content include exploitation of public-facing web servers, exploitation of n-day vulnerabilities, and compromise of vulnerable IIS/OWA infrastructure. In one Southeast Asian government intrusion cluster, attackers installed multiple web shells including ASPXSpy on a compromised web server and used them in support of intelligence collection from sensitive IIS servers.
High-confidence behavioral details directly mentioned in the content are that ASPXSpy is a web shell used for persistence/access on compromised servers and for remote command execution. The content does not provide a standalone malware-specific IOC set such as hashes or domains for ASPXSpy itself.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Although it is not difficult to use other off-the-shelf web-shells with different extensions such as ‘ .asmx ’ or ‘ .svc ’ to use XML or JSON in the body, it would be more fun to use our old-fashion ASPX web shells such as ASPXSpy.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Initial access methods best observed have been centered around the compromise of victim web servers via n-day vulnerabilities for the deployment of webshells, including ASPXSpy, devilzshell, and Caterpillar.
As in previous attacks, the threat actors gained entry via public-facing web servers and the deployment of “unique variants of ASPXSPY” — a malicious script they hid inside “Certificate” text files.
BRONZE UNION maintains a high degree of operational flexibility... using tools such as Sysupdate, PlugX, HttpBrowser and webshells including China Chopper, OwaAuth and a variant of ASPXSpy.
Techniques & procedures
6 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Execution
1 technique
Execution
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
Persistence
1 technique
Persistence
Stealth
2 techniques
Stealth
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A webshell deployed by Lebanese Cedar on compromised web servers after exploiting n-day vulnerabilities.
Publicly available ASPX web shell used for post-compromise interaction with IIS/web servers; noted as previously reported in an APT 27 operation but not attribution-significant here.
A malicious ASPX script/web shell variant used by the threat actors for initial access through public-facing web servers as part of the intrusion chain preceding ransomware deployment.
ASPXSpy is referenced as an ASPX web shell that can be deployed on compromised Microsoft Exchange servers to execute commands via a web-accessible shell.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.