Lemurloot
LEMURLOOT is a custom C# ASP.NET web shell designed specifically to target Progress Software MOVEit Transfer. It was deployed in the large-scale exploitation of the MOVEit Transfer SQL injection vulnerability CVE-2023-34362 beginning in late May 2023, in activity attributed to the Clop extortion operation, also tracked as TA505, FIN11, Snakefly, and by Mandiant as UNC4857 before attribution was merged into FIN11. The malware was installed on internet-facing MOVEit Transfer systems after exploitation of the vulnerable web application, including activity associated with requests to guestaccess.aspx and the legitimate human.aspx component. It commonly masqueraded as human2.aspx or _human2.aspx, placed in the MOVEit Transfer wwwroot directory, and was intended to resemble the legitimate human.aspx file.
Its observed capabilities include persistent access, authenticated command handling over HTTPS, theft of data from underlying MOVEit Transfer databases, enumeration of files and folders, retrieval of configuration information, extraction of Azure Blob storage settings and credentials, downloading files, and user-account manipulation. Reported functions include retrieving records; creating, inserting, or deleting a user; and in some cases creating a new administrator account with randomly generated credentials using LoginName and RealName set to "Health Check Service." LEMURLOOT connects to the SQL server using MOVEit application settings and can return stolen data, including gzip-compressed responses and comfile-formatted output described in government reporting. In multiple investigations, operators stole large volumes of files within minutes of web shell deployment, and the malware was also used to access data stored via Azure Blob storage when configured by victims.
LEMURLOOT authenticates requests using a password supplied in the HTTP header X-siLock-Comment; reporting describes this as either a hard-coded password or a randomly generated 36-character GUID-formatted value that varies by sample. If the expected header is absent or incorrect, the web shell returns HTTP 404. Additional command parameters were observed in headers including X-siLock-Step1, X-siLock-Step2, and X-siLock-Step3. High-confidence indicators mentioned in the content include filenames human2.aspx, _human2.aspx, and human2.aspx.lnk in the MOVEit wwwroot directory, as well as the use of the X-siLock-Comment header. The malware was central to Clop’s MOVEit data-theft and extortion campaign affecting government and enterprise victims across multiple sectors and geographies.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
CVE-2023-34362, a critical SQL injection vulnerability (CVSS 9.8), was the linchpin of this campaign, enabling unauthenticated attackers to seize control of MOVEit Transfer databases, deploy persistent web shells, and launch extortion operations at scale. | With elevated access, attackers deployed a custom web shell known as LEMURLOOT ( human2.aspx ) to the wwwroot directory. This web shell enabled persistent access, command execution, and facilitated further data exfiltration.
Groups observed using it
5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
In May 2023, a widespread SQL injection attack targeted MOVEit, a widely used file-transfer service. The attacks, attributed to the Russian-speaking cybercrime group Clop, compromised multiple global organizations... Attackers exploited a critical vulnerability, installing a custom webshell called "LemurLoot" to rapidly access and exfiltrate large volumes of data.
According to a joint advisory issued by the U.S. Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA), the attackers exploited the vulnerability to install a web shell called Lemurloot (JS.Malscript!g1) on affected systems. This was then used to steal data from underlying databases.
According to a joint advisory issued by the U.S. Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA), the attackers exploited the vulnerability to install a web shell called Lemurloot (JS.Malscript!g1) on affected systems. This was then used to steal data from underlying databases.
Attackers have exploited the SQLi vulnerability to deploy a custom ASP.NET web shell (LEMURLOOT) to achieve persistence on victim networks to allow for further attack.
Following exploitation of the vulnerability, the threat actors are deploying a newly discovered LEMURLOOT web shell with filenames that masquerade as human.aspx... LEMURLOOT provides functionality tailored to execute on a system running MOVEit Transfer software...
Techniques & procedures
16 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniques
Initial Access
Lemurloot was designed specifically to target the MOVEit Transfer platform... and can create, insert, or delete a particular user.
Execution
1 technique
Execution
Persistence
4 techniques
Persistence
Lemurloot was designed specifically to target the MOVEit Transfer platform... and can create, insert, or delete a particular user.
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
2 techniques
Stealth
Credential Access
2 techniques
Credential Access
Collection
2 techniques
Collection
SQL injection attacks allow attackers to ... allow the complete disclosure of all data on the system...
LEMURLOOT can also steal Azure Storage Blob information, including credentials, from the MOVEit Transfer application settings, suggesting that actors exploiting this vulnerability may be stealing files from Azure in cases where victims are storing appliance data in Azure Blob storage.
Command and Control
1 technique
Command and Control
IOCs tracked for this family
110 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A custom web shell deployed on compromised MOVEit Transfer servers to provide persistent access, enable command execution, and support data exfiltration during exploitation of CVE-2023-34362.
A web shell designed specifically to target the MOVEit Transfer platform. It authenticates incoming HTTPS requests via a hard-coded password, downloads files from the MOVEit Transfer database, extracts Azure system settings, retrieves records, and can create, insert, or delete a particular user. It returns stolen data in a comfile format.
Custom ASP.NET web shell deployed after exploiting MOVEit Transfer/Cloud (CVE-2023-34362) to provide persistent access on compromised servers; observed as an .aspx web shell (e.g., 'human2.aspx') with password control via a custom HTTP header.
A custom webshell used in the MOVEit exploitation spree to steal data from victims’ MOVEit Transfer systems. It can also steal Azure Storage Blob information, including credentials, from MOVEit Transfer application settings, and was disguised with filenames such as "human2.aspx" and "human2.aspx.lnk" to resemble a legitimate component.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.