JSPSpy and ‘filebroser’: A Custom File Management Tool in Webshell Infrastructure
Published on
Published on
Published on
Mar 11, 2025
Mar 11, 2025
Mar 11, 2025



Hunt researchers recently identified a cluster of JSPSpy web shell servers with an unexpected addition: Filebroser, a rebranded version of the open-source File Browser file management project.
The slight modification to its name raises questions about whether this was an intentional attempt to evade detection or simply a byproduct of customization. Being observed with JSPSpy suggests a possible role in attack operations-as a persistence mechanism, file management interface, or alternative access point.
Webshells are commonly deployed on compromised servers but can also exist in environments where system administrators use similar tools for remote management. Advanced threat actors and cybercriminals alike have relied on these tools to maintain access, execute commands, and extract files while blending into normal web traffic.
This post examines the infrastructure where Filebroser was observed, its characteristics, and detection strategies for defenders tracking JSPSpy and related activity.
JSPSpy: Recent Server Observations
Developed in Java and first observed in 2013, JSPSpy has been leveraged by multiple threat actors, most recently the Lazarus Group, which NowSecure reported was used against a research organization.
The web shell features a graphical interface for remote access and file management, making it easy for even inexperienced operators to navigate compromised networks.
Recent JSPSpy Server Infrastructure
Our recent analysis of the JSPSpy webshell malicious infrastructure identified four servers presenting a known webpage title, which we'll discuss later to assist defenders in hunting for this cyber threat.
The servers span multiple hosting providers across China and the United States, using a mix of cloud services and traditional ISPs.
CHINANET Jilin province network (China)
Huawei Public Cloud Service Technologies (China)
China Mobile Communications Corporation (China)
Multacom Corporation (United States)
Most of the servers host JSPSpy on port 80, likely an effort to blend in with legitimate HTTP web traffic. One of the China-based instances operates on port 8888. Monitoring for these and other webshells on non-standard ports can assist in identifying similar infrastructure.
Of the four, only one (
124.235.147[.]90
) hosts a TLS certificate. The DigiCert issues cert for dgtmeta[.]com (SHA-256:
EE00EC12B3E3372E60A6FB59A4D3764CC9FA9CB4289FEF1350E4E6CE36CF1FF6
) was first observed by our scans in mid-September 2024 and is still active as of March 6th.
Pivoting on the above led to just 12 servers sharing this certificate; however, we have no indications at this time that any of the associated IPs are involved in malicious activity.
For a brief period,
learning.gensci-china[.]com
resolved to
124.235.147[.]90
, where it served the JSPSpy login page when accessed in a browser. GenSci China, a legitimate biopharmaceutical company based in Jilin Province, China, does not have an obvious connection to the webshell activity. While a network compromise is the most likely explanation, other possibilities include an expired or abandoned subdomain, a hosting misconfiguration, or a temporary malicious redirect.
While analyzing these IP addresses, we identified another web-facing login panel on two of the four servers named 'filebroser.'
'filebroser': A Rebranded File Management Panel
Further analysis of the ports of these IP addresses revealed that two of the identified servers (
124.235.147[.]90
and
74.48.175[.]44
) also host a web-facing login panel labeled 'file browser' on port 8001.
The webpage closely resembles the File Browser project, an open-source tool designed for managing files through a web-based interface. The suspicious page even uses the same favicon as the legitimate version.
Internet scans for the webpage titled "登录 - filebroser" yielded fewer than 10 results, none of which hosted additional JSPSpy instances. "登录" translates to 'Login' in English. This suggests that filebroser is not widely deployed and may be specific to a single operator.
While it's unclear whether this panel functions identically to the open-source version or has been modified, its placement alongside JSPSpy makes it worth closer examination.
Identifying JSPSpy and filebroser Activity
If you've been following our research, you know we love finding ways to detect malicious and often-abused frameworks. Whether it's uncovering new attacker infrastructure or building practical detection queries, the goal is always the same-giving defenders the advantage.
One of the most straightforward ways to identify JSPSpy servers is through their login page title, which consistently displays "JspSpy Codz By-Ninty." While this is a useful indicator, it shouldn't be relied on alone-titles are easily modified, and any attacker with a text editor can alter them to evade detection.
A more reliable way to track JSPSpy is to add some of the server's HTTP response headers. These typically include:
Server: JSP3/2.0.14
Ohc-Cache-Hit:
A random five-character alphabetical string (e.g., abcde, xkqyr, lmnav)
For those who don't fear regex, a pattern like
\b[a-zA-Z]{5}\b
may be helpful when searching at scale.
Leveraging Overlaps with Filebroser
In addition to the "Login - filebroser" page title observed on the small number of servers, the filebroser panel features the same Ohc-Cache-Hit field as JSPSpy. While this doesn't confirm direct integration between the two, the overlap offers another way to refine our queries before we set out on a hunt.
Effective detection is rarely about a single indicator-it's about layering multiple weak signals into something stronger. By combining HTTP headers, response behaviors, and contextual details like page titles, defenders can improve visibility into JSPSpy deployments and, in this case, similar web-based tooling.
Conclusion
JSPSpy and tools like filebroser illustrate how attackers continue to rely on web shells for persistent access, blending into legitimate infrastructure with minimal noise. The presence of filebroser on some servers raises further questions about its purpose and whether it serves an operational role in addition to JSPSpy.
Web shells remain a preferred tool for threat actors, offering a low-footprint method for maintaining access and executing post-compromise actions.
Proactively identifying and monitoring these deployments is essential to understanding attacker behaviors and detecting threats.
JSPSpy and Filebroser Network Observables and IOCs
IP Address | ASN | Domain(s) | Location | Notes |
---|---|---|---|---|
124.235.147[.]90 | CHINANET Jilin province network | learning.gensci-china[.]com | CN | JSPSpy: Port 80 filebroser: Port 8001 |
113.45.180[.]224 | Huawei Cloud Service data center | N/A | CN | JSPSpy: Port 80 |
74.48.175[.]44 | MULTACOM CORPORATION | N/A | US | JSPSpy: Port 80 filebroser: Port 8001 |
22.176.159[.]209 | Henan Mobile Communications Co.,Ltd | N/A | CN | JSPSpy: 8888 |
Hunt researchers recently identified a cluster of JSPSpy web shell servers with an unexpected addition: Filebroser, a rebranded version of the open-source File Browser file management project.
The slight modification to its name raises questions about whether this was an intentional attempt to evade detection or simply a byproduct of customization. Being observed with JSPSpy suggests a possible role in attack operations-as a persistence mechanism, file management interface, or alternative access point.
Webshells are commonly deployed on compromised servers but can also exist in environments where system administrators use similar tools for remote management. Advanced threat actors and cybercriminals alike have relied on these tools to maintain access, execute commands, and extract files while blending into normal web traffic.
This post examines the infrastructure where Filebroser was observed, its characteristics, and detection strategies for defenders tracking JSPSpy and related activity.
JSPSpy: Recent Server Observations
Developed in Java and first observed in 2013, JSPSpy has been leveraged by multiple threat actors, most recently the Lazarus Group, which NowSecure reported was used against a research organization.
The web shell features a graphical interface for remote access and file management, making it easy for even inexperienced operators to navigate compromised networks.
Recent JSPSpy Server Infrastructure
Our recent analysis of the JSPSpy webshell malicious infrastructure identified four servers presenting a known webpage title, which we'll discuss later to assist defenders in hunting for this cyber threat.
The servers span multiple hosting providers across China and the United States, using a mix of cloud services and traditional ISPs.
CHINANET Jilin province network (China)
Huawei Public Cloud Service Technologies (China)
China Mobile Communications Corporation (China)
Multacom Corporation (United States)
Most of the servers host JSPSpy on port 80, likely an effort to blend in with legitimate HTTP web traffic. One of the China-based instances operates on port 8888. Monitoring for these and other webshells on non-standard ports can assist in identifying similar infrastructure.
Of the four, only one (
124.235.147[.]90
) hosts a TLS certificate. The DigiCert issues cert for dgtmeta[.]com (SHA-256:
EE00EC12B3E3372E60A6FB59A4D3764CC9FA9CB4289FEF1350E4E6CE36CF1FF6
) was first observed by our scans in mid-September 2024 and is still active as of March 6th.
Pivoting on the above led to just 12 servers sharing this certificate; however, we have no indications at this time that any of the associated IPs are involved in malicious activity.
For a brief period,
learning.gensci-china[.]com
resolved to
124.235.147[.]90
, where it served the JSPSpy login page when accessed in a browser. GenSci China, a legitimate biopharmaceutical company based in Jilin Province, China, does not have an obvious connection to the webshell activity. While a network compromise is the most likely explanation, other possibilities include an expired or abandoned subdomain, a hosting misconfiguration, or a temporary malicious redirect.
While analyzing these IP addresses, we identified another web-facing login panel on two of the four servers named 'filebroser.'
'filebroser': A Rebranded File Management Panel
Further analysis of the ports of these IP addresses revealed that two of the identified servers (
124.235.147[.]90
and
74.48.175[.]44
) also host a web-facing login panel labeled 'file browser' on port 8001.
The webpage closely resembles the File Browser project, an open-source tool designed for managing files through a web-based interface. The suspicious page even uses the same favicon as the legitimate version.
Internet scans for the webpage titled "登录 - filebroser" yielded fewer than 10 results, none of which hosted additional JSPSpy instances. "登录" translates to 'Login' in English. This suggests that filebroser is not widely deployed and may be specific to a single operator.
While it's unclear whether this panel functions identically to the open-source version or has been modified, its placement alongside JSPSpy makes it worth closer examination.
Identifying JSPSpy and filebroser Activity
If you've been following our research, you know we love finding ways to detect malicious and often-abused frameworks. Whether it's uncovering new attacker infrastructure or building practical detection queries, the goal is always the same-giving defenders the advantage.
One of the most straightforward ways to identify JSPSpy servers is through their login page title, which consistently displays "JspSpy Codz By-Ninty." While this is a useful indicator, it shouldn't be relied on alone-titles are easily modified, and any attacker with a text editor can alter them to evade detection.
A more reliable way to track JSPSpy is to add some of the server's HTTP response headers. These typically include:
Server: JSP3/2.0.14
Ohc-Cache-Hit:
A random five-character alphabetical string (e.g., abcde, xkqyr, lmnav)
For those who don't fear regex, a pattern like
\b[a-zA-Z]{5}\b
may be helpful when searching at scale.
Leveraging Overlaps with Filebroser
In addition to the "Login - filebroser" page title observed on the small number of servers, the filebroser panel features the same Ohc-Cache-Hit field as JSPSpy. While this doesn't confirm direct integration between the two, the overlap offers another way to refine our queries before we set out on a hunt.
Effective detection is rarely about a single indicator-it's about layering multiple weak signals into something stronger. By combining HTTP headers, response behaviors, and contextual details like page titles, defenders can improve visibility into JSPSpy deployments and, in this case, similar web-based tooling.
Conclusion
JSPSpy and tools like filebroser illustrate how attackers continue to rely on web shells for persistent access, blending into legitimate infrastructure with minimal noise. The presence of filebroser on some servers raises further questions about its purpose and whether it serves an operational role in addition to JSPSpy.
Web shells remain a preferred tool for threat actors, offering a low-footprint method for maintaining access and executing post-compromise actions.
Proactively identifying and monitoring these deployments is essential to understanding attacker behaviors and detecting threats.
JSPSpy and Filebroser Network Observables and IOCs
IP Address | ASN | Domain(s) | Location | Notes |
---|---|---|---|---|
124.235.147[.]90 | CHINANET Jilin province network | learning.gensci-china[.]com | CN | JSPSpy: Port 80 filebroser: Port 8001 |
113.45.180[.]224 | Huawei Cloud Service data center | N/A | CN | JSPSpy: Port 80 |
74.48.175[.]44 | MULTACOM CORPORATION | N/A | US | JSPSpy: Port 80 filebroser: Port 8001 |
22.176.159[.]209 | Henan Mobile Communications Co.,Ltd | N/A | CN | JSPSpy: 8888 |
Related Posts:
Threat Hunting Platform - Hunt.io
Products
Hunt Intelligence, Inc.
Threat Hunting Platform - Hunt.io
Products
Hunt Intelligence, Inc.
Threat Hunting Platform - Hunt.io
Products
Hunt Intelligence, Inc.