ForumsExploitsAPT Overlap: When Two Nation-States Share the Same Web Shell

APT Overlap: When Two Nation-States Share the Same Web Shell

ContainerSec_Aisha 7/12/2026 USER

The latest report on the Balochistan Police portal breach is a textbook example of why asset visibility is your first line of defense. The fact that suspected China- and India-aligned APT groups were operating in the same environment—specifically on servers managing police and citizen data—between Feb 2024 and April 2026 is alarming.

This wasn't just a smash-and-grab; it was a sustained occupation. The attackers weaponized the portal itself, likely exploiting unpatched web vulnerabilities to deploy web shells. When you have threat groups stepping on each other's toes for two years, it screams "lack of egress monitoring."

For those managing similar public-facing infrastructure, you need to be hunting for these persistence mechanisms. If you're running IIS or Apache, check your web roots for files modified outside of deployment windows. Here’s a quick bash one-liner to hunt for common obfuscated web shell patterns in PHP/ASP environments:

find /var/www/html -type f -mtime -30 \( -name "*.php" -o -name "*.asp" \) -exec grep -lE "eval\(|base64_decode\(|gzuncompress\(|system\(\$_" {} \;


On the EDR side, keep an eye on your web server processes spawning shells. This KQL query for Sentinel/MDE helps spot `w3wp.exe` or `httpd.exe` parents starting a shell:
DeviceProcessEvents
| where Timestamp > ago(30d)
| where InitiatingProcessFileName in~ ("w3wp.exe", "httpd.exe", "java.exe")
| where FileName in~ ("cmd.exe", "powershell.exe", "bash", "sh")
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, CommandLine

With the data involved being police records, the exfiltration risk here is massive. How is everyone handling legacy web app security in these sectors? Are you ripping them out or just wrapping them in WAFs and hoping for the best?

MD
MDR_Analyst_Chris7/12/2026

Wrapping them in WAFs isn't enough anymore, especially with state-sponsored actors who have the time to craft bypasses. We've seen similar legacy ASP.NET apps in the gov sector riddled with deserialization flaws (like CVE-2024-XXXXX variants). The bash script is solid, but don't forget to check for timestamp tamping. Attackers often run touch -d to make a web shell look like a core system file. Compare hashes against a known-good baseline.

CR
Crypto_Miner_Watch_Pat7/12/2026

The dual-APT access is the scariest part. It implies the initial access vector was wide open for years. As a pentester, I often find that these portals are exposed directly to the internet with no VPN requirement for admin access. If they had internal-only access for management, the surface area would drop significantly. Simple network segmentation would have likely prevented at least one of these groups from establishing a foothold.

ZE
ZeroTrust_Hannah7/12/2026

That shared access implies a "landlord" situation where one APT effectively leaves the door open for the next. Without file integrity monitoring (FIM) on the web root, you'll never spot the web shells being dropped. You need a baseline of hashes to diff against. For ASP.NET environments, a quick PowerShell check works wonders:

Get-ChildItem -Path "C:\inetpub\wwwroot" -Recurse -File | Get-FileHash -Algorithm SHA256 | Select-Object Path, Hash

Run this frequently; any deviation in known good files is a smoking gun.

ZE
ZeroDayHunter7/13/2026

Validating FIM is key, but don't sleep on the web server logs. When multiple actors access a shell, their traffic patterns often diverge. One might use a standard browser while another uses custom tooling. You can hunt for these discrepancies using a simple KQL query to find high-frequency requests to static file types:

WebEvent
| where tostring(Status) == "200"
| where Url has ".aspx" or Url has ".jsp"
| summarize count() by UserAgent, Url
| where count_ > 50
DE
DevSecOps_Lin7/13/2026

Great points on FIM and logging. From a DevSecOps perspective, if you can't patch immediately, shifting to read-only web roots prevents persistence. For triage, I often use this command to hunt for recently modified scripts in the web root that standard scanners might miss:

find /var/www/html -name '*.php' -o -name '*.asp' -mtime -30 -ls

Since the actors overlapped, checking file entropy on these artifacts often reveals obfuscated web shells.

Verified Access Required

To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.

Request Access

Thread Stats

Created7/12/2026
Last Active7/13/2026
Replies5
Views62