Undetectable Beima Webshell Sold by College Student for Tuition Hijacks 5,200+ Gov/Edu Websites
Ddos 
Vulnerable websites due to misconfiguration
Security researchers have uncovered a sprawling botnet operation fueled not by a state-sponsored APT, but by a college student in Bangladesh trying to pay for his education.
A new report from the Cyderes Howler Cell Reverse Engineering Team details the discovery of the “Beima” PHP webshell—a stealthy, custom-built backdoor that has remained completely invisible to VirusTotal scanners for over a year while compromising thousands of government and educational websites.
The investigation began when researchers traced a multi-infection backdoor chain to a Telegram marketplace. There, they found a prolific seller vending access to compromised WordPress and cPanel instances.
“We’ve identified one hacker as a student based in Bangladesh,” the report states. “Our team is in contact with the hacker, who claims he is selling access to the sites to pay for his education.”
This narrative highlights a shifting landscape where financial desperation meets technical opportunity. In Bangladesh, where the median monthly salary hovers around $220 USD, the student found a lucrative niche. While standard compromised sites sell for a meager $3 to $4, high-value targets in the Government (.gov) and Education (.edu) sectors fetch up to $200 per access.
At the heart of this operation is the Beima PHP Webshell, a tool notable for its evasion capabilities. Despite being active since at least May 2024, it has evaded detection by major antivirus engines.
“The student-hacker at the center of the operation uses a PHP-based webshell known as ‘Beima PHP’ that is currently completely undetectable by modern security tools, including VirusTotal,” the Cyderes team noted.
Once installed, typically via misconfigured WordPress endpoints, the webshell grants the buyer absolute power. “The tool enables attackers to achieve full remote code execution over infected servers, extract sensitive data, and incorporate infected machines into a botnet.”
While the seller is in Bangladesh, the clientele appears to be largely international. The report indicates that the student uses a botnet panel to “distribute newly compromised websites to buyers, primarily Chinese threat actors.”
The operation is highly organized. The webshell communicates with a Command-and-Control (C2) server (identified as tool.zjtool[.]top) using encrypted JSON payloads. It supports sophisticated commands like doBeima (to deploy malicious files to random directories) and doLock (to verify execution).
The scale of the compromise is significant. Researchers identified approximately 5,200 websites for sale in this underground market. The targeting is far from random; high-trust domains are the priority.
“The Government and education sectors are the primary targets of this campaign, accounting for 76% of the compromised websites for sale,” the report reveals.
The Beima campaign serves as a stark reminder that the barrier to entry for cybercrime continues to lower. It exposes a “decentralized and financially driven marketplace” where freelancers in developing economies act as the supply chain for advanced threat groups.
As the researchers conclude, “The investigation into the Beima PHP Webshell campaign revealed a well-organized and evolving underground freelance ecosystem supporting the trade and operation of undetectable webshells across Asia.”
Donate