A sophisticated threat actor deployed a multi-stage webshell called TwoFace on a Middle Eastern organization's web server to gain and maintain remote access for nearly a year.

Who was behind the attack?

The exact identity is unknown, but the initial command came from an IP address in Iran. Other IPs used were from France, the U.S., and Germany, which may also have been compromised systems.

What was the purpose of the attack?

The attackers aimed to steal passwords and gain deep access into the victim's network, particularly targeting Microsoft Exchange infrastructure for further exploitation.

How did the attackers operate?

They used an initial stealthy webshell to load a more powerful, encrypted shell. This allowed them to execute commands, steal passwords, and move laterally through the network using additional webshells.

Was this a widespread attack or a targeted one?

It was a targeted attack, focusing on a specific organization in the Middle East, with long-term persistence and careful operational security.

Why would someone target Exchange servers?

Exchange servers hold sensitive communications and usually have elevated access in enterprise environments, making them valuable for espionage or data theft.

How can organizations protect themselves?

Organizations should monitor for unusual web traffic, restrict lateral server access, audit web server directories regularly, and harden systems against credential dumping tools like Mimikatz.

Is this threat still relevant today?

Yes. The techniques, especially use of layered webshells and credential harvesting, remain relevant and are often reused by threat actors in various forms.

Threats Feed|Unknown|Last Updated 18/07/2025|AuthorCertfa Radar|Publish Date31/07/2017

TwoFace Webshell: Persistent Threat in Middle Eastern Networks

Actor Motivations: Espionage,Exfiltration
Attack Vectors: Vulnerability Exploitation
Attack Complexity: Medium
Threat Risk: Low Impact/High Probability

Threat Overview

Unit 42 uncovered the TwoFace webshell, a sophisticated dual-component tool used by attackers for prolonged unauthorized access within a Middle Eastern organization's network. The TwoFace webshell enabled execution of various commands and facilitated lateral movement by copying itself across servers. The intruders utilized Mimikatz to harvest credentials and orchestrated their attacks from multiple international IP addresses, suggesting a broad geographic operational footprint. Analysis revealed that the attackers maintained access since at least June 2016, using obfuscated C# code on ASP.NET servers to remain undetected and manage the webshell payload.

Reference and Credit: Palo Alto Networks - July 2017

TwoFace Webshell: Persistent Access Point for Lateral Movement

Detected Targets

Type	Description	Confidence
Region	Middle East Countries	Verified

Extracted IOCs

0a77e28e6d0d7bd057167ca8a63da867397f1619a38d5c713027ebb22b784d4f
49f43f2caaea89bd3bb137f4228e543783ef265abbdc84e3743d93a7d30b0a7e
54c8bfa0be1d1419bf0770d49e937b284b52df212df19551576f73653a7d061f
79c9a2a2b596f8270b32f30f3e03882b00b87102e65de00a325b64d30051da4e
818ac924fd8f7bc1b6062a8ef456226a47c4c59d2f9e38eda89fff463253942f
8d178b9730e09e35c071526bfb91ce72f876797ebc4e81f0bc05e7bb8ad1734e
8f0419493da5ba201429503e53c9ccb8f8170ab73141bdc6ae6b9771512ad84b
9a361019f6fbd4a246b96545868dcb7908c611934c41166b9aa93519504ac813
bca01f14fb3cb4cfbe7f240156feebc55abac73a6c96b9f75da2f9df580101ef
c116f078a0b9ea25c5fdb2e72914c3446c46f22d9f2b37c582600162ed711b69
d0ffd613b1b285b15e2d6c038b0bd4951eb40eb802617cf6eb4f56cda4b023e3
e33096ab328949af19c290809819034d196445b8ed0406206e7418ec96f66b68
e342d6bf07de1257e82f4ea19e9f08c9e11a43d9ad576cd799782f6e968914b8
ed684062f43d34834c4a87fdb68f4536568caf16c34a0ea451e6f25cf1532d51
f17272d146f4d46dda5dc2791836bfa783bdc09ca062f33447e4f3a26f26f4e0
f4da5cb72246434decb8cf676758da410f6ddc20196dfd484f513aa3b6bc4ac5
fd47825d75e3da3e43dc84f425178d6e834a900d6b2fd850ee1083dbb1e5b113

download

Tip: 17 related IOCs (0 IP, 0 domain, 0 URL, 0 email, 17 file hash) to this threat have been found.

FAQs

Understanding the TwoFace Webshell Incident

: A sophisticated threat actor deployed a multi-stage webshell called TwoFace on a Middle Eastern organization's web server to gain and maintain remote access for nearly a year.
: The exact identity is unknown, but the initial command came from an IP address in Iran. Other IPs used were from France, the U.S., and Germany, which may also have been compromised systems.
: The attackers aimed to steal passwords and gain deep access into the victim's network, particularly targeting Microsoft Exchange infrastructure for further exploitation.
: They used an initial stealthy webshell to load a more powerful, encrypted shell. This allowed them to execute commands, steal passwords, and move laterally through the network using additional webshells.
: It was a targeted attack, focusing on a specific organization in the Middle East, with long-term persistence and careful operational security.
: Exchange servers hold sensitive communications and usually have elevated access in enterprise environments, making them valuable for espionage or data theft.
: Organizations should monitor for unusual web traffic, restrict lateral server access, audit web server directories regularly, and harden systems against credential dumping tools like Mimikatz.
: Yes. The techniques, especially use of layered webshells and credential harvesting, remain relevant and are often reused by threat actors in various forms.

About Affiliation

Unknown

Associate threats