Chopper

Chopper, commonly referred to as China Chopper, is a web shell used for post-compromise access on web servers, particularly IIS and Microsoft Exchange servers. The provided content associates it with rapid deployment after initial exploitation to facilitate hands-on-keyboard activity. Reported use cases include installation following exploitation of Microsoft Exchange vulnerabilities in 2021 and in targeted Exchange attacks in August 2022 chaining CVE-2022-41040 and CVE-2022-41082, where attackers used the Chopper web shell for access, Active Directory reconnaissance, and data exfiltration. Trend Micro reported Chopper web shells being dropped via Exchange flaws in January 2021. Cisco Talos also described Chinese-speaking threat activity tracked as UAT-6382 exploiting CVE-2025-0994 in Trimble Cityworks and then deploying IIS web shells including AntSword, chinatso/Chopper, and Behinder on underlying IIS servers. Additional reporting in the content describes attacks on South Korean web servers where attackers exploited file upload vulnerabilities to install ASP/ASPX web shells including Chopper, Godzilla, and ReGe-ORG for persistence. The content links Chopper to reconnaissance behavior reflected in Sigma detection coverage, including commands and activity mapped to discovery techniques such as host, user, and account enumeration. High-confidence context in the content ties Chopper to Chinese-speaking or likely state-sponsored intrusion activity, Exchange server compromises, IIS web server persistence, and follow-on reconnaissance and exfiltration.