JSPSpy login page | Image: Hunt
Hunt researchers have recently uncovered a cluster of JSPSpy web shell servers with a surprising addition: a rebranded version of the open-source File Browser file management project, dubbed “Filebroser.” The discovery raises questions about the intentions behind this modification, with researchers noting, “The slight modification to its name raises questions about whether this was an intentional attempt to evade detection or simply a byproduct of customization.”
Webshells, like JSPSpy, are commonly deployed on compromised servers by both advanced threat actors and cybercriminals. These tools allow attackers to maintain access, execute commands, and extract files while blending in with normal web traffic. The report highlights the capabilities of JSPSpy, stating, “The web shell features a graphical interface for remote access and file management, making it easy for even inexperienced operators to navigate compromised networks.”
The recent analysis by Hunt researchers identified four JSPSpy servers spanning multiple hosting providers across China and the United States. These servers utilize a mix of cloud services and traditional ISPs. Notably, most of the servers host JSPSpy on port 80, likely in an attempt to blend in with legitimate HTTP web traffic. However, one instance was observed operating on port 8888.
The discovery of ‘Filebroser’ alongside JSPSpy adds a new dimension to the threat landscape. Filebroser, a rebranded version of the File Browser project, presents a web-facing login panel that closely resembles the legitimate open-source tool. With very few instances of “Filebroser” found online, researchers suggest that it may be specific to a single operator. The report indicates that it is unclear whether this panel functions identically to the open-source version or has been modified, its placement alongside JSPSpy makes it worth closer examination.
Hunt researchers provide valuable insights into detecting JSPSpy and Filebroser activity. A straightforward way to identify JSPSpy servers is through their login page title, which typically displays “JspSpy Codz By-Ninty.” However, researchers caution against relying on this alone, as titles can be easily modified. They recommend a more reliable approach, such as tracking specific HTTP response headers, including the “Server: ” and the “Ohc-Cache-Hit” field, which features a random five-character alphabetical string.
The “Ohc-Cache-Hit” field is also present in the Filebroser panel, providing another way to refine detection queries. “While this doesn’t confirm direct integration between the two, the overlap offers another way to refine our queries before we set out on a hunt,” the report states. The researchers emphasize that effective detection involves layering multiple weak signals to create a stronger defense. By combining HTTP headers, response behaviors, and contextual details like page titles, defenders can enhance their ability to identify JSPSpy deployments and related web-based tooling.
