Cybersecurity researchers have recently identified a cluster of JSPSpy web shell servers featuring an unexpected addition, Filebroser, a rebranded version of the open-source File Browser file management tool.
This discovery sheds light on how attackers continue to leverage web shells for persistent access and post-compromise operations while blending into legitimate infrastructure.
JSPSpy With Webshell Infrastructure
JSPSpy, developed in Java and first observed in 2013, has been utilized by various threat actors, including the Lazarus Group, which reportedly targeted a research organization.
The web shell provides a graphical interface for remote access and file management, making it accessible even to inexperienced operators.
Recent analysis revealed four servers hosting JSPSpy across multiple providers in China and the United States.
These include CHINANET Jilin Province Network, Huawei Public Cloud Service Technologies, China Mobile Communications Corporation, and Multacom Corporation.
Most servers operate on port 80 to blend with legitimate HTTP traffic, though one instance in China uses port 8888.
Notably, one server (124.235.147[.]90) hosts a TLS certificate issued by DigiCert for dgtmeta[.]com, first observed in September 2024 and still active as of March 2025.
Further investigation uncovered a web-facing login panel labeled “filebroser” on two servers (124.235.147[.]90 and 74.48.175[.]44).
This panel operates on port 8001 and closely resembles the legitimate File Browser project, raising questions about its purpose and potential modifications.
The filebroser panel appears to be a slightly altered version of the open-source File Browser tool, with its name changed and the same favicon retained from the original project.
Internet scans for the login page titled “登录 – filebroser” (translated as “Login – filebroser”) yielded fewer than ten results, indicating limited deployment likely specific to a single operator.
Although it remains unclear whether filebroser functions identically to its open-source counterpart or has been modified for malicious purposes, its presence alongside JSPSpy suggests it may serve as an operational tool for threat actors.
Both tools share overlapping HTTP headers, such as the “Ohc-Cache-Hit” field containing random five-character strings, which can aid defenders in refining detection queries.
Detection Strategies for Defenders
Identifying JSPSpy servers can be achieved through their consistent login page title (“JspSpy Codz By-Ninty”) or HTTP response headers like “Server: JSP3/2.0.14” and “Ohc-Cache-Hit.”
For large-scale searches, regex patterns (b[a-zA-Z]{5}b) can be applied to detect these headers effectively.
The overlap between JSPSpy and filebroser provides additional indicators for tracking malicious activity.
Combining weak signals such as page titles, HTTP headers, and response behaviors enables defenders to strengthen visibility into attacker infrastructure.
Web shells like JSPSpy remain a favored tool for cybercriminals due to their low footprint and ability to blend into legitimate environments.
Proactively monitoring these deployments is crucial for understanding attacker behavior and mitigating threats.
Indicators of Compromise (IOCs)
| IP Address | ASN | Domain(s) | Location | Notes |
|---|---|---|---|---|
| 124.235.147[.]90 | CHINANET Jilin province network | learning.gensci-china[.]com | China | JSPSpy: Port 80; Filebroser: 8001 |
| 113.45.180[.]224 | Huawei Cloud Service data center | N/A | China | JSPSpy: Port 80 |
| 74.48.175[.]44 | Multacom Corporation | N/A | United States | JSPSpy: Port 80; Filebroser: 8001 |
| 22.176.159[.]209 | Henan Mobile Communications Co., Ltd | N/A | China | JSPSpy: Port 8888 |
This development underscores the importance of layered detection strategies to counter evolving cyber threats effectively.
Are you from SOC/DFIR Teams?: Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
