BEHINDER

Behinder, also known as Rebeyond, Ice Scorpion, and 冰蝎, is a cross-platform web shell used to provide persistent remote access on compromised web servers. The content states it is designed to work with PHP, Java/JSP, and ASP.NET environments and supports encrypted operator communications, including AES-encrypted communications; one observed modified variant used Base64 instead of the AES encryption commonly seen in other variants. Behinder is described as modular, with plugin or module-based post-exploitation capabilities, and has been associated with modules and components such as BShell.dll, BasicInfo.dll, Cmd.dll, Database.dll, Echo.dll, Eval.dll, FileOperation.dll, Hs.dll, LoadNativeLibrary.dll, Loader.dll, Plugin.dll, PortMap.dll, RealCMD.dll, RemoteSocksProxy.dll, ReversePortMap.dll, SocksProxy.dll, Transfer.dll, and Utils.dll. Distinctive in-memory indicators linked to Behinder included the method names EnjsonAndCrypt and getExtraData and a repeated 0x7E byte array.

Across the provided reporting, Behinder was deployed after exploitation of internet-facing applications and appliances, including Atlassian Confluence, Ivanti Endpoint Manager Mobile (EPMM), Cisco Catalyst SD-WAN Manager/Controller, Trimble Cityworks, SharePoint/IIS environments, and Ivanti CSA. Observed deployments included JSP web shells such as conf.jsp, sysinit.jsp, and web shells dropped under paths like /mi/tomcat/webapps/mifs/, with Ivanti EPMM cases also noting filenames 401.jsp, 403.jsp, and 1.jsp and a Behinder variant deployed as conf.jsp on Cisco SD-WAN. In Confluence exploitation, Volexity observed attackers install BEHINDER as a JSP web shell and then use it to deploy China Chopper and a file upload tool. In Cisco Talos reporting on Trimble Cityworks exploitation, Behinder was one of several IIS web shells rapidly deployed after CVE-2025-0994 exploitation. In Cisco SD-WAN exploitation clusters active from March 2026, Behinder and modified Behinder variants were deployed by multiple clusters following exploitation of CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122.

The malware is repeatedly associated in the content with Chinese-speaking or China-nexus activity. Reporting links its use to Chinese-language tooling or documentation, Chinese-language messages in deployed web shells and uploaders, UTC+8 operational alignment, and campaigns assessed as Chinese-speaking, PRC-nexus, or China state-aligned. Threat actors and clusters mentioned using Behinder include UAT-6382, APT15, UNC5174/Houken, TGR-STA-1030/UNC6619, and multiple Cisco SD-WAN exploitation clusters; Volexity also assessed multiple threat actors from China were exploiting Confluence and installing BEHINDER. The content also notes Behinder is publicly available, including on GitHub, and that Chinese-language tutorials have made it broadly accessible.

Behinder has been used against government, critical infrastructure, municipal, healthcare, manufacturing, legal, high-tech, telecommunications, finance, media, transport, education, and foreign affairs targets, depending on the campaign. Its role in the cited intrusions was to provide remote command execution, backdoor access, persistence, and follow-on post-exploitation support alongside tools such as Godzilla, Neo-reGeorg, AntSword, China Chopper, VShell, Sliver, Cobalt Strike, GOST, FRPS, IOX, and GOREVERSE.