China Chopper
China Chopper is a publicly available, well-documented web shell that has been in widespread use since at least 2012. It is hosted on a compromised web server and operates in a client/server model, with a lightweight server-side script communicating with a fuller-featured client interface. Reported capabilities include file transfer and file creation, opening a command terminal, interacting with database servers, spidering authentication portals, executing code sent via HTTP POST requests, and changing file timestamps for defense evasion. Multiple reports also describe its use for staging encrypted archives on internet-facing servers prior to exfiltration.
The malware has been observed in web application attacks and in post-exploitation activity following exploitation of internet-facing systems. It has been associated with exploitation of Microsoft SharePoint CVE-2019-0604 and Microsoft Exchange ProxyLogon-related activity, including deployment of ASPX web shells. In Exchange intrusions, CISA identified multiple China Chopper samples among web shells used by attackers. One observed ASPX variant used files named error404.aspx containing the string eval(Request.Item["|"],"unsafe"); and required HTTP requests carrying the "|" parameter to interact with the shell. Additional reporting describes China Chopper traffic using Base64-encoded POST parameters such as z1 and z2 to execute commands via cmd /c and return output.
China Chopper has been used by multiple threat actors and clusters, especially PRC-linked espionage groups. Supporting content links its use to APT41/HOODOO/Wicked Panda, BRONZE UNION (formerly TG-3390), BRONZE PRESIDENT, Flax Typhoon, and other Chinese state-linked activity. It has also been reported in activity attributed to Iran-based actors correlated with Pioneer Kitten/UNC757, and in opportunistic financially motivated intrusions where attackers exploited Exchange vulnerabilities to deploy the web shell before installing Prometei. Targeted sectors and organizations mentioned in the content include aerospace, government, defense, technology, energy, manufacturing, banking, academia, media, utilities, NGOs, political and law-enforcement organizations, and Taiwanese government, education, critical manufacturing, and IT entities.
Known indicators and detection-relevant details in the content include ASPX web shell files such as error404.aspx, the code pattern eval(Request.Item["|"],"unsafe");, use of the "|" HTTP parameter, and command-execution traffic containing Base64-decoded parameters like z1 and z2. The content also notes ProxyLogon detection syntax specific to China Chopper involving the PowerShell Set-OabVirtualDirectory cmdlet.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
14 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
CVE-2019-0604 Vulnerable Products: Microsoft SharePoint Associated Malware: China Chopper Mitigation: Update affected Microsoft products with the latest security patches | CVE-2019-0604 ... Associated Malware: China Chopper | CVE-2019-0604 Vulnerable Products: Microsoft SharePoint Associated Malware: China Chopper
CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 allow for remote code execution. CVE-2021-26858 and CVE-2021-27065 are similar post-authentication arbitrary write file vulnerabilities in Exchange. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could write a file to any path on the server.
Microsoft has released out-of-band security updates to address four vulnerabilities in Exchange Server: CVE-2021-26855 allows an unauthenticated attacker to send arbitrary HTTP requests and authenticate as the Exchange Server. The vulnerability exploits the Exchange Control Panel (ECP) via a Server-Side Request Forgery (SSRF).
CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 allow for remote code execution. CVE-2021-26858 and CVE-2021-27065 are similar post-authentication arbitrary write file vulnerabilities in Exchange. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could write a file to any path on the server.
CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 allow for remote code execution... CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could execute arbitrary code as SYSTEM on the Exchange Server.
The threat actor primarily gained initial access by compromising a Citrix NetScaler remote access server using a publicly available exploit for CVE-2019-19781.
The threat actors then used BEHINDER to install the China Chopper web shell and a simple file upload tool as backups.
PHOTO, BADFLICK, and CHINA CHOPPER are among the most frequently observed backdoors used by APT40.
PHOTO, BADFLICK, and CHINA CHOPPER are among the most frequently observed backdoors used by APT40.
"In summer 2018, threat actors were observed targeting public-facing web servers that were vulnerable to CVE-2017-3066. The activity was related to a vulnerability in the web application development platform Adobe ColdFusion, which enabled remote code execution."
PHOTO, BADFLICK, and CHINA CHOPPER are among the most frequently observed backdoors used by APT40.
ProxyLogon webshell detection syntax is specific to ‘China Chopper’ via the PowerShell ‘Set-OabVirtualDirectory’ cmdlet.
PHOTO, BADFLICK, and CHINA CHOPPER are among the most frequently observed backdoors used by APT40.
Threat actors are actively exploiting a recently disclosed critical vulnerability, tracked as CVE-2026-1731 (CVSS score: 9.9), in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA). The bug could allow an unauthenticated attacker to send specially crafted requests and run operating system commands remotely, without logging in.
Groups observed using it
15 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The group uses a variety of TTPs including but not limited to LoTL tactics, phishing, ransomware, cryptocurrency mining, supply chain attacks, China Chopper, Gh0st RaT, PlugX, HighNoon, Derusbi, BioPass RAT, RedXOR, and ShadowPad.
The group uses a variety of TTPs including but not limited to LoTL tactics, phishing, ransomware, cryptocurrency mining, supply chain attacks, China Chopper, Gh0st RaT, PlugX, HighNoon, Derusbi, BioPass RAT, RedXOR, and ShadowPad.
Threat Group-3390 has moved staged encrypted archives to Internet-facing servers that had previously been compromised with China Chopper prior to exfiltration.
Tool China Chopper web shell Detail China Chopper is a web shell hosted on a web server and is mainly used for web application attacks; it is configured in a client/server relationship.
Tools Nanhaishu, Orz, SeDll, Cobalt Strike, GreenCrash, AIRBREAK, BlackCoffee, China Chopper, FUSIONBLAZE, HOMEFRY, MURKYTOP, Metasploit / Meterpreter, ScanBox, Derusbi Trojan, Derusbi, Metasploit
“The group uses common Chinese nation-state hacking tools such as the China Chopper web shell...”
Cybersecurity researchers had already reported other overlapping threat groups primarily linked to the use of the China Chopper malware since at least 2013.
"The PHP code reflected a basic evaluation web shell, commonly referred to as the China Chopper web shell."
"...using an unknown exploit that led to the creation of a well-known China Chopper web shell, which was in turn used to initiate a multi-stage infection chain."
"The Canadian Centre for Cyber Security released an alert about ongoing attacks exploiting CVE-2019-0604 to deliver the China Chopper web shell on April 23..."
"...installed several web shells, including China Chopper, on several internet-facing web servers."
Web shells – AntSword, Behinder, China Chopper, Godzilla , giving the hackers backdoor access to the breached systems.
At compromised web servers, we observed use of the China Chopper webshell, recognizable by the &echo [S]&cd&echo [E] sequence in virtual terminal requests.
"BRONZE PRESIDENT uses a range of tools including Cobalt Strike, China Chopper, PlugX..."
The group uses the China Chopper web shell, Metasploit, Juicy Potato privilege escalation tool, Mimikatz, and SoftEther VPN client.
Techniques & procedures
21 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueMalicious cyber actors are increasingly targeting unpatched Virtual Private Network vulnerabilities. An arbitrary code execution vulnerability in Citrix VPN appliances, known as CVE-2019-19781, has been detected in exploits in the wild. An arbitrary file reading vulnerability in Pulse Secure VPN servers, known as CVE-2019-11510, continues to be an attractive target for malicious actors. | Of the top 10, the second-most-reported vulnerable technology was a widespread Web framework known as Apache Struts... CVE-2019-0604 Vulnerable Products: Microsoft SharePoint... CVE-2018-7600 Vulnerable Products: Drupal... CVE-2019-19781 Vulnerable Products: Citrix Application Delivery Controller, Citrix Gateway, and Citrix SDWAN WANOP | An arbitrary code execution vulnerability in Citrix VPN appliances, known as CVE-2019-19781, has been detected in exploits in the wild. An arbitrary file reading vulnerability in Pulse Secure VPN servers, known as CVE-2019-11510, continues to be an attractive target for malicious actors. | CVE-2017-5638 Vulnerable Products: Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 Associated Malware: JexBoss ... CVE-2019-0604 Vulnerable Products: Microsoft SharePoint Associated Malware: China Chopper ... CVE-2018-7600 Vulnerable Products: Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 Associated Malware: Kitty
Execution
3 techniques"...attacker launching an exploit to achieve remote code execution..."
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
U.S. Government reporting has identified the top 10 most exploited vulnerabilities by state, nonstate, and unattributed cyber actors from 2016 to 2019 as follows: CVE-2017-11882, CVE-2017-0199, CVE-2017-5638, CVE-2012-0158, CVE-2019-0604, CVE-2017-0143, CVE-2018-4878, CVE-2017-8759, CVE-2015-1641, and CVE-2018-7600.
Persistence
1 techniqueCustomers running the latest definitions are protected by the following IPS signatures: China.Chopper.Web.Shell.Client.Connection
Stealth
4 techniques"Sandworm Team used UPX to pack a copy of Mimikatz"; "APT38 has used several code packing methods such as Themida, Enigma, VMProtect, and Obsidium"; "Lazarus Group packed malicious .db files with Themida to evade detection."
Once the attackers gained access to the network, they deleted the .aspx webshell file to cover their tracks
APT28 has performed timestomping on victim files. APT29 has used timestomping to alter the Standard Information timestamps on their web shells to match other files in the same directory. APT32 has used scheduled task raw XML with a backdated timestamp... APT38 has modified data timestamps to mimic files that are in the same folder on a compromised host.
Credential Access
1 techniqueChina Chopper ... Brute Force: Password Guessing
Discovery
4 techniquesadding attack.discovery since rule already have tags t1018, t1033 & t1087.
The content repeatedly describes threat actors and malware performing network scanning, port scanning, service enumeration, OS fingerprinting, and identifying open ports/services across victim environments.
Administrators should search for aspx files in the following paths... any .aspx file under this folder or sub folders... any file or modified file that is not part of a standard install
Adding attack.discovery since rule already have t1082, t1087 and t1046
Collection
1 techniqueAPT28 has staged archives of collected data on a target's Outlook Web Access (OWA) server.
Command and Control
4 techniquesBRONZE UNION appears to use a combination of self-registered IP addresses and commercial VPN services in its command and control (C2) and operational infrastructure. The threat actors also integrate infrastructure they likely previously compromised for espionage purposes.
The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.
Webshells are utilized for the following purposes: To use as a relay point to issue commands to hosts inside the network without direct internet access;
Webshells are utilized for the following purposes: To upload additional malware for the potential of creating, for example, a watering hole for infection and scanning of further victims;
Exfiltration
2 techniquesMany entries state malware or actors can upload, transfer, send, or exfiltrate files from compromised hosts to command-and-control servers or attacker infrastructure.
The TMP files were then staged for exfiltration on Internet-facing servers that had previously been compromised with the China Chopper web shell. From those servers the threat actor could use a web shell to retrieve the encrypted archives.
IOCs tracked for this family
29 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
76 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
The group uses a variety of TTPs including but not limited to LoTL tactics, phishing, ransomware, cryptocurrency mining, supply chain attacks, China Chopper, Gh0st RaT, PlugX, HighNoon, Derusbi, BioPass RAT, RedXOR, and ShadowPad.
Web shell family referenced as a tooling marker; used for remote command execution and as a C2/access mechanism via web server compromise.
A lightweight web shell used for remote access and control of compromised web servers, commonly used for initial foothold and persistent access.
Web shell artifact found on compromised hosts during the same timeframe as BRONZE PRESIDENT activity; the report notes no direct evidence that BRONZE PRESIDENT used it, but they may have leveraged its access or capabilities earlier in the intrusion.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.