Threats Feed|Unknown|Last Updated 18/07/2025|AuthorCertfa Radar|Publish Date31/07/2017

TwoFace Webshell: Persistent Threat in Middle Eastern Networks

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Vulnerability Exploitation
  • Attack Complexity: Medium
  • Threat Risk: Low Impact/High Probability

Threat Overview

Unit 42 uncovered the TwoFace webshell, a sophisticated dual-component tool used by attackers for prolonged unauthorized access within a Middle Eastern organization's network. The TwoFace webshell enabled execution of various commands and facilitated lateral movement by copying itself across servers. The intruders utilized Mimikatz to harvest credentials and orchestrated their attacks from multiple international IP addresses, suggesting a broad geographic operational footprint. Analysis revealed that the attackers maintained access since at least June 2016, using obfuscated C# code on ASP.NET servers to remain undetected and manage the webshell payload.

Detected Targets

TypeDescriptionConfidence
RegionMiddle East Countries
Verified

Extracted IOCs

  • 0a77e28e6d0d7bd057167ca8a63da867397f1619a38d5c713027ebb22b784d4f
  • 49f43f2caaea89bd3bb137f4228e543783ef265abbdc84e3743d93a7d30b0a7e
  • 54c8bfa0be1d1419bf0770d49e937b284b52df212df19551576f73653a7d061f
  • 79c9a2a2b596f8270b32f30f3e03882b00b87102e65de00a325b64d30051da4e
  • 818ac924fd8f7bc1b6062a8ef456226a47c4c59d2f9e38eda89fff463253942f
  • 8d178b9730e09e35c071526bfb91ce72f876797ebc4e81f0bc05e7bb8ad1734e
  • 8f0419493da5ba201429503e53c9ccb8f8170ab73141bdc6ae6b9771512ad84b
  • 9a361019f6fbd4a246b96545868dcb7908c611934c41166b9aa93519504ac813
  • bca01f14fb3cb4cfbe7f240156feebc55abac73a6c96b9f75da2f9df580101ef
  • c116f078a0b9ea25c5fdb2e72914c3446c46f22d9f2b37c582600162ed711b69
  • d0ffd613b1b285b15e2d6c038b0bd4951eb40eb802617cf6eb4f56cda4b023e3
  • e33096ab328949af19c290809819034d196445b8ed0406206e7418ec96f66b68
  • e342d6bf07de1257e82f4ea19e9f08c9e11a43d9ad576cd799782f6e968914b8
  • ed684062f43d34834c4a87fdb68f4536568caf16c34a0ea451e6f25cf1532d51
  • f17272d146f4d46dda5dc2791836bfa783bdc09ca062f33447e4f3a26f26f4e0
  • f4da5cb72246434decb8cf676758da410f6ddc20196dfd484f513aa3b6bc4ac5
  • fd47825d75e3da3e43dc84f425178d6e834a900d6b2fd850ee1083dbb1e5b113
download

Tip: 17 related IOCs (0 IP, 0 domain, 0 URL, 0 email, 17 file hash) to this threat have been found.

FAQs

Understanding the TwoFace Webshell Incident

A sophisticated threat actor deployed a multi-stage webshell called TwoFace on a Middle Eastern organization's web server to gain and maintain remote access for nearly a year.

The exact identity is unknown, but the initial command came from an IP address in Iran. Other IPs used were from France, the U.S., and Germany, which may also have been compromised systems.

The attackers aimed to steal passwords and gain deep access into the victim's network, particularly targeting Microsoft Exchange infrastructure for further exploitation.

They used an initial stealthy webshell to load a more powerful, encrypted shell. This allowed them to execute commands, steal passwords, and move laterally through the network using additional webshells.

It was a targeted attack, focusing on a specific organization in the Middle East, with long-term persistence and careful operational security.

Exchange servers hold sensitive communications and usually have elevated access in enterprise environments, making them valuable for espionage or data theft.

Organizations should monitor for unusual web traffic, restrict lateral server access, audit web server directories regularly, and harden systems against credential dumping tools like Mimikatz.

Yes. The techniques, especially use of layered webshells and credential harvesting, remain relevant and are often reused by threat actors in various forms.