ZypeerShell: New PHP Webshell Pushed on GitHub Promises Undetectable C2 Capabilities
A new PHP webshell named ZypeerShell has appeared on GitHub, marketed as undetectable and feature-rich, with a built-in GSocket deploy function for C2 communication and an obfuscated variant using Fortress Layer.
A new PHP webshell called ZypeerShell has been discovered on GitHub, claiming to be "the most powerful, undetectable, and feature-rich PHP webshell available on GitHub." The repository, pushed about two months ago, has drawn attention from security researchers at the SANS Internet Storm Center, who noted that while the shell includes many classic webshell features, it also contains a notable function for establishing command-and-control (C2) communications via GSocket.
The webshell includes a function named zypeergsdeploy() that is designed to connect to a C2 server through GSocket. This function executes a command that downloads and runs the official GSocket installation script from https://gsocket.io/y. After installation, the function displays a secret token and a connection command, such as gs-netcat -s "XXXX" -i. Interestingly, the researcher noted that this function is never called from the GUI in the version they analyzed, suggesting it may be intended for manual invocation or future use.
The GitHub repository also contains an obfuscated version of the webshell that uses Fortress Layer, a multi-layer loader with integrity checks. This obfuscation technique is designed to evade detection by security tools and make analysis more difficult. The use of such layered obfuscation indicates that the authors are actively trying to bypass antivirus and endpoint detection systems.
ZypeerShell is being promoted on Telegram as a red-team tool, though its capabilities and marketing language suggest it could be used for malicious purposes. The webshell provides a range of classic features typical of such tools, including file management, command execution, and database interaction. The addition of the GSocket deploy function, however, sets it apart by offering a built-in mechanism for establishing persistent C2 channels.
GSocket is a legitimate open-source tool that allows users to create secure, outbound-only connections through firewalls and NAT. By integrating GSocket deployment into the webshell, ZypeerShell enables attackers to establish stealthy C2 channels that can bypass network security controls. This technique is particularly effective in environments where outbound connections are restricted or monitored.
The discovery of ZypeerShell underscores the ongoing popularity of webshells as a persistent threat vector. Webshells remain a favored tool for attackers because they provide a simple, flexible way to maintain access to compromised servers. The SANS Internet Storm Center has previously covered webshells extensively, noting their prevalence in both targeted attacks and broad scanning campaigns.
Security teams are advised to monitor for the presence of ZypeerShell on their web servers, particularly PHP-based environments. Indicators of compromise include the presence of files named with variations of "zypeer" or the execution of the GSocket installation command. Organizations should also review outbound connections to gsocket.io and related domains as potential signs of C2 activity.
While ZypeerShell is currently being promoted as a red-team tool, its availability on a public repository and its promotion on Telegram lower the barrier for entry for malicious actors. The use of Fortress Layer obfuscation further complicates detection, making it important for defenders to stay informed about this new threat and update their detection signatures accordingly.