Key Findings

• The Howler Cell Reverse Engineering Team has uncovered a multi-infection backdoor chain linked to an active botnet operation. The perpetrator is using a botnet panel to distribute newly compromised websites to buyers, primarily Chinese threat actors. The sites were primarily compromised via misconfigured WordPress and cPanel instances.
• We've identified one hacker as a student based in Bangladesh. Our team is in contact with the hacker, who claims he is selling access to the sites to pay for his education. This reflects a growing trend in cybercrime where freelancers quietly fuel a thriving underground economy reminiscent of some of the actors tied to Scattered Spider.
• The student-hacker at the center of the operation uses a PHP-based webshell known as ‘Beima PHP’ that is currently completely undetectable by modern security tools, including VirusTotal. The tool enables attackers to achieve full remote code execution over infected servers, extract sensitive data, and incorporate infected machines into a botnet.
• The Government and education sectors are the primary targets of this campaign, accounting for 76% of the compromised websites for sale. The price for these websites is $200, while others sell for $3-$4. Considering the median salary in Bangladesh ($220 USD), makes it a very lucrative operation for freelancers. Transactions are conducted on Telegram.
• While the presence of encrypted command execution, JSON-based payload control, and live C2 panel demonstrates a sophistication beyond typical freelance hacking activity, it is clear that the actors involved have created a decentralized, financially-driven marketplace with a quite low barrier to entry.

Introduction: A Glimpse Into the Crowdsourced Cybercrime Economy  

This investigation began with a surprising discovery: a cybersecurity student in Bangladesh, aspiring to one day work as a red teamer defending networks, is currently selling access to hacked websites to pay for his education. His story offers a unique lens into a broader, decentralized cybercrime marketplace, one where freelancers across Asia quietly contribute to a growing underground economy.

In this campaign, the student acts as a supplier, selling compromised WordPress and cPanel sites to buyers, primarily threat actors based in China. These transactions, often conducted over Telegram and paid for in cryptocurrency, reflect a larger trend: the rise of crowdsourced cybercrime, where individuals with technical skills can earn money by participating in illicit digital trade.

At the center of the student’s specific operation is a PHP-based webshell that has remained completely undetectable by modern security tools, including VirusTotal, for over a year. This tool allows attackers to remotely control infected servers, extract sensitive data, and use compromised machines as part of a botnet. The webshell, known as Beima, appears to have been used in 80 of the 5,200 observed websites currently for sale in the freelancer marketplace.

The risks go beyond stolen credentials or payment information. If an attacker gains access to a user account on a root domain server, they can potentially compromise all associated subdomains and linked domains. In cases involving government websites, the impact could be especially serious.

This report explores how a single student’s actions reflect a much larger ecosystem that is reshaping the way cybercrime is organized, distributed, and monetized across borders.

Summary

During a recent investigation, the Howler Cell Reverse Engineering Team uncovered a multi-infection backdoor chain linked to an active botnet operation. Through in-depth analysis and a controlled OSINT investigation, the team identified a hacker based in Bangladesh who claimed to be a student selling access to vulnerable websites. These sites were primarily compromised via misconfigured WordPress and cPanel instances.

The hacker used a botnet panel to distribute newly compromised websites to buyers, which the attacker stated were primarily Chinese threat actors, for approximately $3 to $4 USD per site. The outcome of the investigation also reveals the high profile websites based on .EDU and .GOV are selling for $200. While these amounts may sound trivial by western standards, the average professional salary in Bangladesh is $220 USD, quickly making this a very lucrative operation for the young student-hacker and other freelance attackers in the region.

For reference, our investigation revealed that over 5,200 compromised websites are currently for sale in Telegram. The regional breakdown shows that the majority are in Asia, but the campaign has a global spread.

Specific country breakdown shows a heavy focus on India and Indonesia with Brazil, Thailand, and the United States following.

By industry, there is a clear preference for the education and government sectors, most likely because the $200 price point is far more attractive than $3-$4 for normal sites.

It should be noted that Howler Cell did not verify that all the advertised websites were actually compromised. We have also not completed victim notifications and therefore will not publish specific compromised sites. However, notable sites for sale in the marketplace include globally prestigious universities, law enforcement, military, courts, and attorney generals. If they are all truly compromised, this campaign could prove to be quite impactful, depending on what the buyers (primarily from China, Indonesia, and Malaysia) choose to do with the sites.

Notably, the PHP backdoor used in these compromises remained fully undetected on VirusTotal from May 09, 2024, 14:24:22 UTC, through the latest scans in November 2025.

Key Findings from the College Hacker Campaign

• The hacker sold access to vulnerable websites via Telegram channels.
• Buyers uploaded a sophisticated PHP webshell (commonly named style.php) to vulnerable web servers.
• The webshell accepted only encrypted commands, secured by an embedded RSA private key.
• The webshell has remained undetected on VirusTotal since May 2024.
• Multiple infected site packages were uploaded to VirusTotal, confirming widespread use. None were identified to be malicious.
• Intelligence indicates that most active buyers and sellers are based in Indonesia, Malaysia, and China, with activity scattered across other parts of Asia.

The infection chain enables remote control, persistence, and data exfiltration. The backdoor, named Beima PHP Webshell, derives its name from one of the main implant functions within the code.

Interview with the Freelance Student Hacker

This case highlights a growing underground market for low-cost web compromises, particularly targeting WordPress and cPanel infrastructures. Such infections feed larger, organized threat actor operations, demonstrating the need for better detection of encrypted command-based PHP webshells and continuous monitoring of botnet-driven exploitation campaigns.

During the investigation, we identified a college student operating within the underground botnet ecosystem, selling websites compromised via the observed backdoor.

Initially, the individual claimed the botnet panel was for personal file storage. However, when confronted with specific technical evidence, he disclosed additional information. Figures 1 and 2 illustrate the hacker’s use of the botnet panel, where he uploaded lists of vulnerable websites for sale to threat actors.

Figure 1 usage of botnet panel by the hacker

Figure 2 Cont, Usage of botnet panel by the hacker

Figure 3 depicts the communication flow between the hacker and buyers, showing non-government and non-education website sales for $3–$4 per site, with payments made in Bitcoin (BTC).

Figure 3 Buyer and seller communication

In later discussions, the hacker disclosed details about the PHP-based backdoor webshell deployed by the buyers (Figure 4). Although he claimed no knowledge of its function, the Howler Cell team successfully extracted and analyzed the webshell for further technical review.

Figure 4 Extraction of PHP backdoor

Threat Actor Ecosystem Analysis

Investigation into the broader webshell trade ecosystem revealed that Telegram is the primary platform for coordination and exchange between hackers and buyers.

Figures 5 and 6 depict active communication channels where actors share proof of compromised servers and negotiate sales.

Intelligence analysis indicates that the majority of participants are from China, Indonesia, Malaysia, and Bangladesh, often college students or freelancers earning cryptocurrency (primarily BTC) through these transactions.

Although activity is centered in Asia, smaller clusters exist globally, forming a loosely connected, decentralized market driven by financial motivation and anonymity.

Figure 5 Webshell marketing in Telegram

Figure 6 Compromised webservers for sale in Telegram

Sample list of vulnerable websites shared by the hackers shown in Figure 7 and how the misconfigured websites vulnerable to website takeover is shown in Figure 8.

Figure 7 Vulnerable websites shared by the hackers

Figure 8 Vulnerable websites due to misconfiguration

Technical Analysis of Beima PHP Webshell

This PHP backdoor script is a sophisticated webshell designed to provide remote control over a compromised web server, allowing an attacker to perform various malicious actions such as file manipulation, content injection, and file renaming. Below is a detailed technical analysis of how it works, its components, and its potential impact.

Core Characteristics

• Processes encrypted HTTP requests and decrypts them using a hardcoded RSA private key.
• Executes attacker defined actions through parameter-based requests.
• Supports multiple operations like file uploads, renaming, content injection, and index modification.
• Uses JSON-based responses for communication with the attacker’s panel.

Error Handling

The Webshell constructs a JSON response for errors with a code (defaults to 200400), a message. If you reach the webshell directly without encryption with public key, we will get this error as default.

{"code":200400,"msg":"param is empty","extras":[]}

The code further reveals the different error handling messages and indirectly referencing the functionalities of the PHP backdoor, shown in Figure 9.

Figure 9 Error handling messages

Utility Functions

getDirPathsByLevel($level)

• Traverses directories starting from the web root ($_SERVER['DOCUMENT_ROOT']) up to a specified depth ($level, default 6).
• Collects all subdirectories, excluding hidden ones (starting with .) and files.
• Used to select a random directory for placing malicious files, making detection harder.

getUrl($url)

• Performs an HTTP GET request using cURL with SSL verification disabled and a 5-second timeout.
• Used in the doLock function to verify a "lock" file’s execution.

getRemoteContent($url)

• Fetches content from a remote URL using file_get_contents or cURL (as a fallback).
• Used to retrieve malicious payloads from an attackercontrolled server.

copyfile($content, $localfile, $isAppend, $appendContent)

• Writes content to a local file. If $isAppend is true, appends additional content.
• Attempts to write using file_put_contents and falls back to fopen/fwrite if it fails.
• Returns true if the file is created successfully, false otherwise.

updateFiletime($filepath)

• Modifies the file’s creation and modification times to a random time between 6 months and a year ago.
• Helps evade detection by making the file appear older and less suspicious.
  
  

Request Processing

• Expects a base64-encoded, encrypted HTTP header parameter (P).
• Uses openssl_private_decrypt to decrypt parameters with a hardcoded private key.
• Requires specific parameters (server, iden) or returns an error.
• Code example shown in Figure 10.

Figure 10 Request processing with private key

Action Dispatching

 Based on the iden value, it calls one of the following functions 

• beima: Deploys a malicious file to a random directory.
• rename: Renames a file in the script’s directory.
• index: Injects malicious content into the index file (e.g., index.php).
• sub/htaccess: Creates or overwrites a file (e.g., .htaccess) with remote content.
• lock: Creates a file, tests it, and deletes it to verify execution.
• style: Similar to sub, but uses a domain-based file path.

Core Functions

Each function corresponds to an iden value and performs a specific malicious action. Here’s a breakdown shown in Table 1.

Table 1 PHP backdoor core functions

The doBeima function in the PHP backdoor, shown in Figure 11 is the main component for establishing persistence or delivering additional payloads, designed to deploy a malicious file to a random directory on the compromised server.

• Purpose: Downloads a malicious file from an attacker controlled server and places it in a random directory up to a specified depth, updating its timestamps to evade detection.

Figure 11 PHP backdoor doBeima function

The PHP backdoor has remained undetected since 2024-05-09 14:24:22 UTC, demonstrating its persistent evasion of security detection mechanisms.

Impact and Functions of the Uploaded Webshell

When we investigated how the attacker issued commands to the uploaded PHP webshell, we focused on the JSON payload structure. These payloads served as the attacker’s main instruction set. During our intelligence analysis, we identified multiple variants from the attacker’s repository. Each variant functions as an enumeration script designed to scan and extract sensitive information from targeted sites.

Key findings from the analysis include

• Control Mechanism: The JSON payloads define how the attacker communicates with the PHP webshell and issue commands remotely.
• Target Scope: The payload references the inputUrl field, which contains a list of vulnerable websites initially sourced by the attacker from freelance hackers.
• Enumeration Behavior: Each payload probes target domains for high-value files and data, including:
  • Credentials and authentication keys
  • Cloud API tokens
  • Backup and configuration files
  • Environment and deployment settings
• Botnet Functionality: Servers hosting the PHP webshell operated as bots, conducting distributed scanning and data collection.
• Proxy Usage: Compromised hosts also acted as intermediate nodes, relaying enumeration results back to the attacker through a proxied channel.
• Root Domain Server Compromise: If an attacker compromises the user page or account on the main root domain server, all associated subdomains and linked domains under that user’s account can also be affected. In cases involving government websites, the potential impact is significantly higher.

Sample payload variants used in these operations are illustrated in Figure 12.

Figure 12 JSON payload variants

Command and Control

Our analysis uncovered several supporting resources linked to this campaign. However, a key objective was to identify and understand how the attacker controlled the PHP webshell through the JSON payloads, as this step completes the attack chain. To this end, Howler Cell successfully identified the attacker’s live command-and-control infrastructure, which remained active at the time of publication.

The C2 interface tool[.]zjtool[.]top, written in Chinese, displayed how the compromised websites communicated with it and how JSON payloads were used to issue bot commands. Each input parameter has the same function name as the PHP webshell. The command-and-control page is shown in Figure 13 and Figure 14 (translated) below.

Figure 13 Command and Control - Chinese

Figure 14 Command and Control - Translated

Investigation and Containment Steps for Beima Webshell

Take immediate containment actions if you suspect a compromise:

• Take the impacted site offline or put it in maintenance mode.
• Revoke all user and admin sessions and reset passwords for accounts with write access.
• Isolate the host from the network or limit outbound connections to only required allowed controls.
• Rotate all credentials stored on the site including API keys and database passwords.
• Rebuild the web application from known-good sources where possible.
• Replace any server-level account credentials and SSH keys that may have been exposed.
• Update WordPress core, themes, and plugins to latest versions. Remove unused plugins and themes.
• Implement mutifactor authentication for all admin accounts. 
• Web files should be owned by the web user and writable only when necessary. Use 0644 for files and 0755 for directories.
• Preserve a forensic copy of webroot, logs, and database backups before changing files for incident investigation
• Search webroot for known strings and function names.
  • grep -RIn "doBeima\|doLock\|doStyle\ " /var/www 2>/dev/null
  • find /var/www -type f -name "*.php" -exec grep -I --line-number "iden" {} \; 2>/dev/null
• Check access logs for unusual POSTs or requests with large base64 blobs and for connections to the C2 domain tool.zjtool[.]top or similar

Unveiling the Underground Market and WebShell Compromises

Currently, approximately 5,200 websites are for sale in the underground Webshell market based on the available telemetry, the numbers are likely even higher. Figure 16 shows the distribution infographic of the webshell market.

• Government and education sectors are the main targets of this campaign, accounting for a combined 76% (2,345) of the websites for sale. Likely this is driven by the $200 price point, rather than the $3-$4 for other sites.
• Telegram, an online messaging platform popular with threat actors, is the primary marketplace for the compromised websites.
• The undetectable Beima PHP webshell used by this story’s student-hacker were leveraged in 80 of the compromised websites.
• In 129 cases, the threat actor simply advertised misconfigured websites vulnerable to the webshell, offering the buyer the opportunity to conduct the exploitation themselves.
• The primary location of the buyers is China, Indonesia, and Malaysia.

This reflects a robust underground market exploiting vulnerabilities and misconfigurations, particularly targeting valuable government and education sectors.

Figure 16 Distribution of underground webshell market

Conclusion

The investigation into the Beima PHP Webshell campaign revealed a well-organized and evolving underground freelance ecosystem supporting the trade and operation of undetectable webshells across Asia. The use of encrypted command execution, JSON-based payload control, and a live C2 panel demonstrates a level of sophistication beyond typical freelance hacking activity.

This campaign also highlights how low-cost, misconfigured web infrastructure, particularly WordPress and cPanel environments, can be exploited to build scalable botnets or to steal user’s login credentials and financial information. By using Telegram for coordination and cryptocurrency for transactions, these actors have created a decentralized and financially driven marketplace that lowers the barrier for entry into cybercrime.

The involvement of young, freelance hackers, primarily from China, Indonesia, Malaysia, and Bangladesh, suggests a shift toward crowdsourced exploitation models where individual actors contribute to larger, coordinated threat operations for profit.

Appendix

SHA-256

1ee54a730b83296f5b24da22cac7644754b1b83365e5af7fb80fb9696ba063d7 c51e009f6d8a9283ce6ddf454b474b863b0f6bf66584092a7fb5940764e54222 898d2da350a1bfa7e6628092db68b768c1cfbfe3bd9dc643943789fdafe2d658

C2

hxxps://tool.zjtool[.]top/

Yara Rule

rule PHP_Webshell_Beima

{

meta:

   description = "Detects Beima PHP web shell"

   author = "Cyderes RE Team"

   date = "2025-NOV-07"

strings:

   $iden_strings1 = "doBeima"

   $iden_strings2 = "doLock"

   $iden_strings3 = "doStyle"

condition:

   all of them

}

Back to Top