JSPSpy and ‘filebroser’: A Custom File Management Tool in Webshell Infrastructure

Published on

Published on

Published on

Mar 11, 2025

Mar 11, 2025

Mar 11, 2025

JSPSpy and ‘Filebroser’: A Custom File Management Tool in Webshell Infrastructure
JSPSpy and ‘Filebroser’: A Custom File Management Tool in Webshell Infrastructure
JSPSpy and ‘Filebroser’: A Custom File Management Tool in Webshell Infrastructure

JSPSpy and ‘filebroser’: A Custom File Management Tool in Webshell Infrastructure

Hunt researchers recently identified a cluster of JSPSpy web shell servers with an unexpected addition: Filebroser, a rebranded version of the open-source File Browser file management project.

The slight modification to its name raises questions about whether this was an intentional attempt to evade detection or simply a byproduct of customization. Being observed with JSPSpy suggests a possible role in attack operations-as a persistence mechanism, file management interface, or alternative access point.

Webshells are commonly deployed on compromised servers but can also exist in environments where system administrators use similar tools for remote management. Advanced threat actors and cybercriminals alike have relied on these tools to maintain access, execute commands, and extract files while blending into normal web traffic.

This post examines the infrastructure where Filebroser was observed, its characteristics, and detection strategies for defenders tracking JSPSpy and related activity.

JSPSpy: Recent Server Observations

Developed in Java and first observed in 2013, JSPSpy has been leveraged by multiple threat actors, most recently the Lazarus Group, which NowSecure reported was used against a research organization.

The web shell features a graphical interface for remote access and file management, making it easy for even inexperienced operators to navigate compromised networks.

Recent JSPSpy Server Infrastructure

Our recent analysis of the JSPSpy webshell malicious infrastructure identified four servers presenting a known webpage title, which we'll discuss later to assist defenders in hunting for this cyber threat.

The servers span multiple hosting providers across China and the United States, using a mix of cloud services and traditional ISPs.

  • CHINANET Jilin province network (China)

  • Huawei Public Cloud Service Technologies (China)

  • China Mobile Communications Corporation (China)

  • Multacom Corporation (United States)

Most of the servers host JSPSpy on port 80, likely an effort to blend in with legitimate HTTP web traffic. One of the China-based instances operates on port 8888. Monitoring for these and other webshells on non-standard ports can assist in identifying similar infrastructure.

Of the four, only one ( 124.235.147[.]90) hosts a TLS certificate. The DigiCert issues cert for dgtmeta[.]com (SHA-256: EE00EC12B3E3372E60A6FB59A4D3764CC9FA9CB4289FEF1350E4E6CE36CF1FF6) was first observed by our scans in mid-September 2024 and is still active as of March 6th.

Figure 1: Certificate data for *dgtmeta[.]com in Hunt

Figure 1: Certificate data for *dgtmeta[.]com in Hunt.

Pivoting on the above led to just 12 servers sharing this certificate; however, we have no indications at this time that any of the associated IPs are involved in malicious activity.

For a brief period, learning.gensci-china[.]com resolved to 124.235.147[.]90, where it served the JSPSpy login page when accessed in a browser. GenSci China, a legitimate biopharmaceutical company based in Jilin Province, China, does not have an obvious connection to the webshell activity. While a network compromise is the most likely explanation, other possibilities include an expired or abandoned subdomain, a hosting misconfiguration, or a temporary malicious redirect.

Figure 2: JSPSpy login page hosted at learning.gensci-china[.]com

Figure 2: JSPSpy login page hosted at learning.gensci-china[.]com.

While analyzing these IP addresses, we identified another web-facing login panel on two of the four servers named 'filebroser.'

'filebroser': A Rebranded File Management Panel

Further analysis of the ports of these IP addresses revealed that two of the identified servers ( 124.235.147[.]90 and 74.48.175[.]44) also host a web-facing login panel labeled 'file browser' on port 8001.

Figure 3: Renamed File Browser login page

Figure 3: Renamed File Browser login page.

The webpage closely resembles the File Browser project, an open-source tool designed for managing files through a web-based interface. The suspicious page even uses the same favicon as the legitimate version.

Figure 4: Legitimate File Browser login page

Figure 4: Legitimate File Browser login page.

Internet scans for the webpage titled "登录 - filebroser" yielded fewer than 10 results, none of which hosted additional JSPSpy instances. "登录" translates to 'Login' in English. This suggests that filebroser is not widely deployed and may be specific to a single operator.

While it's unclear whether this panel functions identically to the open-source version or has been modified, its placement alongside JSPSpy makes it worth closer examination.

Identifying JSPSpy and filebroser Activity

If you've been following our research, you know we love finding ways to detect malicious and often-abused frameworks. Whether it's uncovering new attacker infrastructure or building practical detection queries, the goal is always the same-giving defenders the advantage.

One of the most straightforward ways to identify JSPSpy servers is through their login page title, which consistently displays "JspSpy Codz By-Ninty." While this is a useful indicator, it shouldn't be relied on alone-titles are easily modified, and any attacker with a text editor can alter them to evade detection.

A more reliable way to track JSPSpy is to add some of the server's HTTP response headers. These typically include:

  • Server: JSP3/2.0.14

  • Ohc-Cache-Hit: A random five-character alphabetical string (e.g., abcde, xkqyr, lmnav)

For those who don't fear regex, a pattern like \b[a-zA-Z]{5}\b may be helpful when searching at scale.

Leveraging Overlaps with Filebroser

In addition to the "Login - filebroser" page title observed on the small number of servers, the filebroser panel features the same Ohc-Cache-Hit field as JSPSpy. While this doesn't confirm direct integration between the two, the overlap offers another way to refine our queries before we set out on a hunt.

Effective detection is rarely about a single indicator-it's about layering multiple weak signals into something stronger. By combining HTTP headers, response behaviors, and contextual details like page titles, defenders can improve visibility into JSPSpy deployments and, in this case, similar web-based tooling.

Conclusion

JSPSpy and tools like filebroser illustrate how attackers continue to rely on web shells for persistent access, blending into legitimate infrastructure with minimal noise. The presence of filebroser on some servers raises further questions about its purpose and whether it serves an operational role in addition to JSPSpy.

Web shells remain a preferred tool for threat actors, offering a low-footprint method for maintaining access and executing post-compromise actions.

Proactively identifying and monitoring these deployments is essential to understanding attacker behaviors and detecting threats.

JSPSpy and Filebroser Network Observables and IOCs

IP AddressASNDomain(s)LocationNotes
124.235.147[.]90CHINANET Jilin province networklearning.gensci-china[.]comCNJSPSpy: Port 80
filebroser: Port 8001
113.45.180[.]224Huawei Cloud Service data centerN/ACNJSPSpy: Port 80
74.48.175[.]44MULTACOM CORPORATIONN/AUSJSPSpy: Port 80
filebroser: Port 8001
22.176.159[.]209Henan Mobile Communications Co.,LtdN/ACNJSPSpy: 8888

Hunt researchers recently identified a cluster of JSPSpy web shell servers with an unexpected addition: Filebroser, a rebranded version of the open-source File Browser file management project.

The slight modification to its name raises questions about whether this was an intentional attempt to evade detection or simply a byproduct of customization. Being observed with JSPSpy suggests a possible role in attack operations-as a persistence mechanism, file management interface, or alternative access point.

Webshells are commonly deployed on compromised servers but can also exist in environments where system administrators use similar tools for remote management. Advanced threat actors and cybercriminals alike have relied on these tools to maintain access, execute commands, and extract files while blending into normal web traffic.

This post examines the infrastructure where Filebroser was observed, its characteristics, and detection strategies for defenders tracking JSPSpy and related activity.

JSPSpy: Recent Server Observations

Developed in Java and first observed in 2013, JSPSpy has been leveraged by multiple threat actors, most recently the Lazarus Group, which NowSecure reported was used against a research organization.

The web shell features a graphical interface for remote access and file management, making it easy for even inexperienced operators to navigate compromised networks.

Recent JSPSpy Server Infrastructure

Our recent analysis of the JSPSpy webshell malicious infrastructure identified four servers presenting a known webpage title, which we'll discuss later to assist defenders in hunting for this cyber threat.

The servers span multiple hosting providers across China and the United States, using a mix of cloud services and traditional ISPs.

  • CHINANET Jilin province network (China)

  • Huawei Public Cloud Service Technologies (China)

  • China Mobile Communications Corporation (China)

  • Multacom Corporation (United States)

Most of the servers host JSPSpy on port 80, likely an effort to blend in with legitimate HTTP web traffic. One of the China-based instances operates on port 8888. Monitoring for these and other webshells on non-standard ports can assist in identifying similar infrastructure.

Of the four, only one ( 124.235.147[.]90) hosts a TLS certificate. The DigiCert issues cert for dgtmeta[.]com (SHA-256: EE00EC12B3E3372E60A6FB59A4D3764CC9FA9CB4289FEF1350E4E6CE36CF1FF6) was first observed by our scans in mid-September 2024 and is still active as of March 6th.

Figure 1: Certificate data for *dgtmeta[.]com in Hunt

Figure 1: Certificate data for *dgtmeta[.]com in Hunt.

Pivoting on the above led to just 12 servers sharing this certificate; however, we have no indications at this time that any of the associated IPs are involved in malicious activity.

For a brief period, learning.gensci-china[.]com resolved to 124.235.147[.]90, where it served the JSPSpy login page when accessed in a browser. GenSci China, a legitimate biopharmaceutical company based in Jilin Province, China, does not have an obvious connection to the webshell activity. While a network compromise is the most likely explanation, other possibilities include an expired or abandoned subdomain, a hosting misconfiguration, or a temporary malicious redirect.

Figure 2: JSPSpy login page hosted at learning.gensci-china[.]com

Figure 2: JSPSpy login page hosted at learning.gensci-china[.]com.

While analyzing these IP addresses, we identified another web-facing login panel on two of the four servers named 'filebroser.'

'filebroser': A Rebranded File Management Panel

Further analysis of the ports of these IP addresses revealed that two of the identified servers ( 124.235.147[.]90 and 74.48.175[.]44) also host a web-facing login panel labeled 'file browser' on port 8001.

Figure 3: Renamed File Browser login page

Figure 3: Renamed File Browser login page.

The webpage closely resembles the File Browser project, an open-source tool designed for managing files through a web-based interface. The suspicious page even uses the same favicon as the legitimate version.

Figure 4: Legitimate File Browser login page

Figure 4: Legitimate File Browser login page.

Internet scans for the webpage titled "登录 - filebroser" yielded fewer than 10 results, none of which hosted additional JSPSpy instances. "登录" translates to 'Login' in English. This suggests that filebroser is not widely deployed and may be specific to a single operator.

While it's unclear whether this panel functions identically to the open-source version or has been modified, its placement alongside JSPSpy makes it worth closer examination.

Identifying JSPSpy and filebroser Activity

If you've been following our research, you know we love finding ways to detect malicious and often-abused frameworks. Whether it's uncovering new attacker infrastructure or building practical detection queries, the goal is always the same-giving defenders the advantage.

One of the most straightforward ways to identify JSPSpy servers is through their login page title, which consistently displays "JspSpy Codz By-Ninty." While this is a useful indicator, it shouldn't be relied on alone-titles are easily modified, and any attacker with a text editor can alter them to evade detection.

A more reliable way to track JSPSpy is to add some of the server's HTTP response headers. These typically include:

  • Server: JSP3/2.0.14

  • Ohc-Cache-Hit: A random five-character alphabetical string (e.g., abcde, xkqyr, lmnav)

For those who don't fear regex, a pattern like \b[a-zA-Z]{5}\b may be helpful when searching at scale.

Leveraging Overlaps with Filebroser

In addition to the "Login - filebroser" page title observed on the small number of servers, the filebroser panel features the same Ohc-Cache-Hit field as JSPSpy. While this doesn't confirm direct integration between the two, the overlap offers another way to refine our queries before we set out on a hunt.

Effective detection is rarely about a single indicator-it's about layering multiple weak signals into something stronger. By combining HTTP headers, response behaviors, and contextual details like page titles, defenders can improve visibility into JSPSpy deployments and, in this case, similar web-based tooling.

Conclusion

JSPSpy and tools like filebroser illustrate how attackers continue to rely on web shells for persistent access, blending into legitimate infrastructure with minimal noise. The presence of filebroser on some servers raises further questions about its purpose and whether it serves an operational role in addition to JSPSpy.

Web shells remain a preferred tool for threat actors, offering a low-footprint method for maintaining access and executing post-compromise actions.

Proactively identifying and monitoring these deployments is essential to understanding attacker behaviors and detecting threats.

JSPSpy and Filebroser Network Observables and IOCs

IP AddressASNDomain(s)LocationNotes
124.235.147[.]90CHINANET Jilin province networklearning.gensci-china[.]comCNJSPSpy: Port 80
filebroser: Port 8001
113.45.180[.]224Huawei Cloud Service data centerN/ACNJSPSpy: Port 80
74.48.175[.]44MULTACOM CORPORATIONN/AUSJSPSpy: Port 80
filebroser: Port 8001
22.176.159[.]209Henan Mobile Communications Co.,LtdN/ACNJSPSpy: 8888

Related Posts:

The Secret Ingredient: Unearthing Suspected SpiceRAT Infrastructure via HTML Response
Jul 11, 2024

Reports on new malware families often leave subtle clues that lead researchers to uncover additional infrastructure not...

The Secret Ingredient: Unearthing Suspected SpiceRAT Infrastructure via HTML Response
Jul 11, 2024

Reports on new malware families often leave subtle clues that lead researchers to uncover additional infrastructure not...

Jun 5, 2024

The threat actor(s) built and controlled at least one of the binaries on the same server, granting us access to numerous..

Jun 5, 2024

The threat actor(s) built and controlled at least one of the binaries on the same server, granting us access to numerous..

Unearthing New Infrastructure by Revisiting Past Threat Reports
May 21, 2024

Suppose you know David Bianco’s “Pyramid of Pain” model. In that case, you know that IP addresses are among the lower indicators of compromise due to their short lifespan and ease of change to legitimate purposes.

Unearthing New Infrastructure by Revisiting Past Threat Reports
May 21, 2024

Suppose you know David Bianco’s “Pyramid of Pain” model. In that case, you know that IP addresses are among the lower indicators of compromise due to their short lifespan and ease of change to legitimate purposes.

The Secret Ingredient: Unearthing Suspected SpiceRAT Infrastructure via HTML Response
Jul 11, 2024

Reports on new malware families often leave subtle clues that lead researchers to uncover additional infrastructure not...

Jun 5, 2024

The threat actor(s) built and controlled at least one of the binaries on the same server, granting us access to numerous..

Unearthing New Infrastructure by Revisiting Past Threat Reports
May 21, 2024

Suppose you know David Bianco’s “Pyramid of Pain” model. In that case, you know that IP addresses are among the lower indicators of compromise due to their short lifespan and ease of change to legitimate purposes.