In-Depth Analysis Of An Obfuscated Web Shell Script
Fortinet, Friday, July 25th, 2025
This analysis is a follow-up to the investigation titled 'Intrusion into Middle East Critical National Infrastructure' (full report here), conducted by the FortiGuard Incident Response Team (FGIR), which investigated a long-term cyber intrusion targeting critical national infrastructure (CNI) in the Middle East.
The report revealed that threat actors had installed numerous web shell servers on the compromised system. In this follow-up, we conducted a deep analysis of one of these web shell servers, named UpdateChecker.aspx, which was deployed on the Microsoft IIS (Internet Information Services) server of the compromised system.
In this blog, we will explore the obfuscation techniques used to protect the web shell, the structure of its control commands, formatted in JSON, and the outline of the command traffic when the attacker controls the system. We also elaborate on the web shell's capabilities to control the compromised system.