Detecting Web Shells: Why it is important to add an additional layer of protection on your existing security solutions

by Jun 13, 2024

When it comes to cyber-attacks, web shells play a critical role in the arsenal of cyber criminals. They can provide persistent, stealthy access to compromised systems, making them a favored tool for maintaining long-term control over infected networks. In the following blog post, we will explain how our APT scanner THOR ensures that such threats are detected and why this is essential for maintaining robust cybersecurity defenses.

Understanding the Role of Web Shells

Web shells are versatile tools used for a variety of malicious activities, including data exfiltration, privilege escalation, lateral movement within networks, and launching further attacks. Their stealthy nature, often hidden within legitimate web traffic, makes them difficult to detect with traditional security measures, complicating incident response and cleanup.

In the hands of cyber criminals, web shells act as a gateway to exploitation. They enable attackers to establish a foothold in compromised systems, allowing for remote access and control. This foothold can then be leveraged to execute a multitude of malicious actions, from stealing sensitive data to deploying ransomware or conducting reconnaissance for future attacks.

Moreover, web shells are not limited to a specific type of attack or target. They are highly adaptable and can be deployed across various platforms and environments, making them a persistent threat in today’s interconnected digital landscape.

The Limitations of Antivirus Solutions

While traditional antivirus (AV) solutions play a crucial role in cybersecurity by identifying and removing known malware, they often fall short when it comes to detecting web shells. Unlike conventional malware, which operates as standalone executables or scripts, web shells are sometimes embedded within legitimate web applications or files, making them harder to detect using signature-based detection methods.

Furthermore, cyber criminals are constantly evolving their tactics to evade detection by AV solutions. They employ obfuscation techniques or encryption, and polymorphism to disguise their web shells, rendering traditional AV ineffective against these advanced threats.

The Importance of Specialized Tools

To effectively combat web shell attacks, organizations need to supplement their existing security solutions with specialized tools designed to detect and mitigate these threats. Solutions like our APT scanner THOR utilize a large set of generic rules that combine the tiniest patterns found in common web shells to detect new, modified or embedded web shells and has specific rules to detect the obfuscation itself.

To showcase the effectiveness of THOR in detecting web shells, we recently conducted a comparison study. We compared the web shell detection coverage between THOR and 70 antivirus solutions on VirusTotal. The study utilized the largest and most respected web shell repository on GitHub, curated by Tencent. By analyzing files identified as web shells by either THOR or any of the antivirus solutions on VirusTotal, we found that THOR consistently outperformed other solutions in detecting web shells.

Methodology: A Fair and Neutral Comparison

To ensure an unbiased comparison, we utilized the largest and most popular web shell repository on GitHub, curated by Tencent. This repository is highly respected and widely used, providing a reliable basis for our analysis.

Key Points:

  • Neutral Basis: We deliberately chose not to use our own web shell collection. Instead, we relied on Tencent’s repository to prevent any bias.
  • Detection Criteria: Only files identified as web shells by either THOR or any of the 70 antivirus solutions on VirusTotal were included. This approach eliminated non-relevant files such as READMEs, libraries, images, and CSS files.
  • Current Data: All files were uploaded and reanalyzed on VirusTotal on May 13th, 2024, ensuring the antivirus detections were up-to-date.
  • Versions Used
    • THOR: Version 10.7.15, Build: c114b1893902 (2024-03-25 10:29:36)
    • Signature Database: 2024/05/06-133122
  • The data files from our analysis are available for review:
    • THORcsv: THOR’s CSV output, counting duplicate MD5 hashes only once
    • webshell-vt-hash-db.json: Munin’s output from the VirusTotal search

Key Takeaways

  • Superior Detection: THOR detects web shells better than any other solution on the market.
  • Comprehensive Security: Our findings highlight the need for more than just AV for a resilient security architecture.

Comparison of the detection coverage of web shell between Nextron’s THOR and the antivirus vendors on Virustotal.


At Nextron, we recognize the critical importance of web shell detection in today’s threat landscape. While traditional antivirus (AV) solutions focus on identifying and removing known malware, our APT scanner THOR excels in detecting the traces of hacking activity, such as obfuscations, web shells, configuration backdoors, malware-less backdoors, outputs of hack tools, remnants of malware, and anomalies in system files.

About the author:

Nextron Threat Research Team


New blog posts (~1 email/month)

GDPR Cookie Consent with Real Cookie Banner