GodZilla
Godzilla is a web shell, including JSP and ASP.NET-associated variants, described in the content as an in-memory and Chinese-language web shell that provides persistent remote access on compromised web servers. Reported capabilities include arbitrary command execution, backdoor access, and the ability to drop or stage additional payloads. The malware is repeatedly observed as post-exploitation tooling rather than an initial-access mechanism.
The content links Godzilla to exploitation of multiple server-side vulnerabilities and exposed web applications. It was deployed after exploitation of Digital Knowledge KnowledgeDeliver CVE-2026-5426, an ASP.NET ViewState deserialization flaw caused by hard-coded machine keys, where attackers installed the web shell, modified JavaScript to present fake security alerts, and ultimately facilitated delivery of Cobalt Strike Beacon to users. It was also observed in exploitation of VMware Workspace ONE Access / Identity Manager CVE-2022-22954, where Unit 42 reported attackers downloading the Godzilla web shell onto vulnerable systems. Cisco Talos reporting in the content ties Godzilla to post-compromise activity following exploitation of Cisco Catalyst SD-WAN Manager vulnerabilities CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122, including deployment of Godzilla variants such as files named "20251117022131.jsp" and "vmurnp_ikp.jsp". The content also states that threat actors exploited Microsoft Exchange and IIS vulnerabilities, including the ProxyLogon chain, to deploy Godzilla web shells into Exchange and IIS directories.
Godzilla is associated in the content with several threat clusters and campaigns. It is described as commonly used by China-based crews and specifically by the China-aligned espionage cluster SHADOW-EARTH-053, which used Godzilla on compromised Exchange and IIS servers before deploying ShadowPad. It is also linked to the China-linked cluster CL-UNK-1068, which used Godzilla and AntSword web shells on misconfigured web servers for lateral movement and theft of browser data, web application files, spreadsheets, and database backups. Cisco Talos reporting also places Godzilla in multiple SD-WAN exploitation clusters, distinct from UAT-8616, as part of broader post-exploitation activity alongside Behinder, XenShell, AdaptixC2, Sliver, XMRig, KScan/QScan, Nim-based implants, gsocket, and credential stealers.
Targeting in the content centers on internet-facing enterprise infrastructure and web applications, including KnowledgeDeliver LMS deployments popular in Japan, VMware identity/access appliances, Cisco SD-WAN infrastructure, Microsoft Exchange servers, IIS servers, and misconfigured web servers in high-value organizations. Victim sectors mentioned in related campaigns include government, defense-adjacent organizations, critical infrastructure, transportation, technology, aviation, energy, law enforcement, pharmaceutical, telecommunications, and finance.
High-confidence indicators directly mentioned in the content include filenames "20251117022131.jsp" and "vmurnp_ikp.jsp" for deployed Godzilla web shells. The content also notes the alias BLUEBEAM for Godzilla in at least one reporting source.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
14 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Threat actors abused a critical zero-day bug in a server that ran a KnowledgeDeliver LMS to install the Godzilla. The bug is a deserialization problem tracked as CVE-2026-5426 and can be abused without verification. It originates from the use of “shared hardcoded machine key in the web portal configuration.” | Threat actors abused a critical zero-day bug in a server that ran a KnowledgeDeliver LMS to install the Godzilla.
Once inside, the attackers deploy web shells such as GODZILLA to maintain persistent backdoor access and execute remote commands at will.
Once inside, the attackers deploy web shells such as GODZILLA to maintain persistent backdoor access and execute remote commands at will.
Once inside, the attackers deploy web shells such as GODZILLA to maintain persistent backdoor access and execute remote commands at will.
Once inside, the attackers deploy web shells such as GODZILLA to maintain persistent backdoor access and execute remote commands at will.
Following the exploitation of these CVEs, the threat actor deployed a variant of the Godzilla web shell under the filename “20251117022131.jsp”.
Following the exploitation of these CVEs, the threat actor deployed a variant of the Godzilla web shell under the filename “20251117022131.jsp”.
Following the exploitation of these CVEs, the threat actor deployed a variant of the Godzilla web shell under the filename “20251117022131.jsp”.
We observed the vulnerability exploited to download webshells, including: ... The Godzilla Webshell that has also been used in previous campaigns exploiting other vulnerabilities.
CVE-2026-20182 carries a CVSSv3.1 score of 10.0 (Critical) and is classified under CWE-287: Improper Authentication. The flaw affects the Cisco Catalyst SD-WAN Controller (formerly vSmart)... The peering authentication mechanism is not functioning correctly, allowing an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on the affected system.
A torrent of proof-of-concept (PoC) exploits for React2Shell has hit the internet following the vulnerability's disclosure last week, and while security researchers say most are fake, ineffective and AI-generated slop, some have proven to be quite dangerous. CVE-2025-55182 was disclosed on Dec. 3 with a maximum CVSS score of 10, setting off urgent calls for immediate mitigation. The remote code execution (RCE) flaw stems from an unsafe deserialization issue in React Server Components (RSC) protocol that affects not only React open source software but other frameworks such as Next.js. The critical vulnerability came under exploitation shortly after public disclosure, with Amazon threat intelligence observing attacks from several China-nexus threat groups. Attacks against the vulnerability, which researchers refer to as "React2Shell," increased this week as opportunistic threat actors of all stripes launched campaigns with cryptominers, infostealers, backdoors, and more.
...active exploitation of a newly identified vulnerability (CVE-2021-40539) in ManageEngine ADSelfService Plus... rated critical... an authentication bypass vulnerability affecting ... REST API URLs that could enable remote code execution... reports of malicious cyber actors using exploits against CVE-2021-40539 to gain access... | (Updated November 19, 2021): APT actors are using the following suite of tools to enable this campaign: ... Godzilla – a Chinese language webshell.
"...this dropper deploys a Godzilla webshell which provides the actor with further access to and persistence in compromised systems."
The content states CVE-2023-46604 (Apache ActiveMQ) “was known to have been used in the Godzilla ransomware attack.”
Groups observed using it
6 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Following successful exploitation, operators deployed GODZILLA web shells into Exchange and IIS directories to establish persistent remote access.
"...this dropper deploys a Godzilla webshell which provides the actor with further access to and persistence in compromised systems."
Web shells – AntSword, Behinder, China Chopper, Godzilla , giving the hackers backdoor access to the breached systems.
We observed the attackers deploying the GodZilla web shell, and a variation of AntSword
Techniques & procedures
20 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueSpecifically, the warrants authorized the seizures of computer servers that launched and controlled the DDoS attacks, computer servers that relayed attack commands to a broader network of attack computers, and accounts containing the source code for the DDoS tools used by Anonymous Sudan.
Initial Access
2 techniquesThreat actors could modify a JavaScript file with code that asked users to run a ‘security authentication plugin’ and install a malicious script from a domain that hackers used.
Threat actors abused a critical zero-day bug in a server that ran a KnowledgeDeliver LMS... The bug is a deserialization problem tracked as CVE-2026-5426 and can be abused without verification.
Execution
3 techniquesThreat actors could modify a JavaScript file with code that asked users to run a ‘security authentication plugin’ and install a malicious script from a domain that hackers used.
The activity has been found to leverage publicly available proof-of-concept exploit code to deploy web shells on hacked systems, allowing the operators to run arbitrary bash commands.
The vulnerability, CVE-2026-5426, stems from the use of hard-coded ASP.NET machine keys within the LMS. This allowed for unauthenticated remote code execution through a ViewState deserialization attack.
Persistence
2 techniquesWhen the machineKey is known, a threat actor can craft a malicious ViewState payload. By sending this payload in an HTTP request (via the __VIEWSTATE parameter), the threat actor can make the server deserialize it.
Threat actors abused a critical zero-day bug in a server that ran a KnowledgeDeliver LMS to install the Godzilla.
Privilege Escalation
1 techniqueAttackers leveraged this access to inject malicious code, deploy the Godzilla web shell, and escalate privileges.
Stealth
3 techniques“Obfuscating and Deobfuscating/Decoding Files or Information [T1027 and T1140]”
“Obfuscating and Deobfuscating/Decoding Files or Information [T1027 and T1140]”
A known indicator associated with the campaign includes the BLUEBEAM payload “LoadLibrary.dll” with SHA-256 hash 7c1f99dca8e5a7897892f9d224a6495023a2cfd2671697d229d355978c415ed2.
Defense Impairment
1 techniqueAmong the commands executed were instructions to escalate their control over the web server's file system by granting "Everyone" complete access to the web application directory.
Lateral Movement
3 techniquesOne particularly notable technique involved propagating malicious web shells across additional internal Exchange servers by copying ASPX files directly through administrative SMB shares.
Talos is also aware of the widespread in-the-wild active exploitation of three vulnerabilities in unpatched Cisco Catalyst SD-WAN Manager infrastructure (CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122) that, when chained together, can allow a remote unauthenticated attacker to gain access to the device.
In one environment, the group propagated web shells to additional internal Exchange servers by using existing administrative credentials
Command and Control
2 techniquesThe malware communicates through encrypted HTTP POST requests, allowing attackers to execute commands, upload payloads, and maintain persistence... Network defenders should also watch for anomalous User-Agent strings.
The malware communicates through encrypted HTTP POST requests, allowing attackers to execute commands, upload payloads, and maintain persistence... Users who downloaded the fake plugin were infected with a Cobalt Strike Beacon payload.
Impact
2 techniquesAccording to the indictment and a criminal complaint also unsealed today, since early 2023, the Anonymous Sudan actors and their customers have used the group’s Distributed Cloud Attack Tool (DCAT) to conduct destructive DDoS attacks and publicly claim credit for them. In approximately one year of operation, Anonymous Sudan’s DDoS tool was used to launch over 35,000 DDoS attacks.
Anonymous Sudan’s DDoS attacks, which at times lasted several days, caused damage to the victims’ websites and networks, often rendering them inaccessible or inoperable, resulting in significant damages.
IOCs tracked for this family
74 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
38 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Godzilla was installed following exploitation of a KnowledgeDeliver LMS zero-day (CVE-2026-5426). The content also notes prior ViewState deserialization attacks in ASP.NET environments where Godzilla was planted, indicating use as a post-exploitation backdoor/webshell.
A web shell deployed after exploitation of CVE-2026-5426 to provide attacker access on compromised KnowledgeDeliver servers.
A web shell deployed after exploitation of CVE-2026-5426 to provide command execution on the compromised LMS server and enable delivery of additional payloads.
A web shell used by one threat cluster following exploitation of Cisco SD-WAN vulnerabilities.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.