WEBC2 is a malware family/backdoor associated in the provided content with the Mandiant APT1 reporting. The content states that WEBC2 variants can achieve persistence via DLL search order hijacking by copying a DLL to %SYSTEMROOT% (C:\WINDOWS\ntshrui.dll). It also states that WEBC2 can open an interactive command shell. In Mandiant’s imphash-based analysis of the APT1 malware corpus, WEBC2 is listed with imphash a1a42f57ff30983efda08b68fedd3cfc (63 imports, 25 matched samples) and imphash 7276a74b59de5761801b35c672c9ccb4 (52 imports, 13 matched samples). The content does not provide additional high-confidence details here on initial infection vector, specific targeted industries, or further WEBC2-specific indicators beyond the persistence path and imphash values.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
5 distinct techniques documented for this family, organized by ATT&CK tactic.
The content repeatedly describes use of cmd.exe, cmd /c, Windows command shell, and xp_cmdshell to execute commands, run payloads, launch binaries, perform reconnaissance, persistence, cleanup, and ransomware actions. Examples include: 'Sandworm Team used the xp_cmdshell command in MS-SQL', 'APT41 used cmd.exe /c to execute commands on remote machines', and many malware families 'can use cmd.exe to execute commands on a compromised host.' | Many entries explicitly state malware 'can create a reverse shell' or 'launch a remote shell,' including 4H RAT, AuditCred, BLACKCOFFEE, Carbanak, DarkComet, Exaramel for Windows, PlugX, QuasarRAT, and ZxShell.
"AppleJeus ... has also used DLL search order hijacking via the IKEEXT service, running with LocalSystem privileges, to load the TAXHAUL DLL for persistence." / "APT41 ... has used search order hijacking to execute malicious payloads" / "Cinnamon Tempest has used search order hijacking to launch Cobalt Strike Beacons."
"AppleJeus ... has also used DLL search order hijacking via the IKEEXT service, running with LocalSystem privileges, to load the TAXHAUL DLL for persistence." / "APT41 ... has used search order hijacking to execute malicious payloads" / "Cinnamon Tempest has used search order hijacking to launch Cobalt Strike Beacons."
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malware/tool capable of opening an interactive command shell.
Persistence via DLL search-order hijacking (e.g., planting ntshrui.dll).
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.