Chinese ‘Web Shell Whisperer’ exploits shells and tunnels for stealthy access

Sygnia uncovered a cyber espionage operation by a China-linked group, “Weaver Ant.”

The group targeted a major Asian telecom company, using web shells and tunnels for persistent access and espionage. This case shows how state-backed hackers keep evolving to evade detection and maintain long-term access.

All about Web Shell Whisperer

Weaver Ant used two web shells: an encrypted China Chopper variant and a new ‘INMemory’ shell.

The encrypted China Chopper, with AES encryption, evades WAF detection and is placed on external servers for network access.

Sygnia reports that this web shell enables file management, command execution, and data exfiltration, making it a powerful tool for attackers.

The INMemory web shell runs entirely in memory, avoiding detection. It decodes a hardcoded GZipped Base64 string into a PE file (‘eval.dll’) and executes it using JScript.

Weaver Ant also used a recursive HTTP tunnel tool for lateral movement and internal access. This tool forwards requests between web servers, supporting both ASPX and PHP for cross-platform use.

It dynamically builds and runs cURL commands, enabling seamless navigation across web environments. This adaptive tunneling helped maintain flexibility and avoid detection.

To defend against advanced threats, organizations need a strong security strategy.

• Continuous Monitoring – Keep systems under constant watch for suspicious activity.
• Proactive Threat Response – Act quickly to contain and mitigate threats.
• Regular Threat Hunts – Identify hidden risks before they cause damage.
• Traffic Control & System Hardening – Secure legacy and public-facing devices.
• Stealth Monitoring – Use port mirroring and decrypt tunneled traffic to detect covert attacks.
• Stronger Defense – Implementing these measures helps counter state-sponsored threats like Weaver Ant.

IOCs