Godzilla

Malware Profile Updated a month ago

Download STIX

Preview STIX

Godzilla is a potent malware that allows attackers to remotely control compromised servers, execute arbitrary commands, upload and download files, manipulate databases, and perform other malicious activities. The malware was linked to a group known as Ethereal Panda by CrowdStrike due to their similar tactics, techniques, and procedures (TTPs), including the use of Godzilla as an open-source webshell. Multiple hacktivist groups, such as Skynet, Godzilla, and Anonymous Sudan, have claimed responsibility for various incidents involving this malware. The Godzilla malware gained notoriety in March 2024 when hackers exploited a vulnerability in the WordPress Plugin 3DPrint Lite (CVE-2021-4436) to deploy it. Cybercriminals often exploit vulnerabilities in popular software, such as WordPress plugins, to gain unauthorized access and carry out their nefarious activities. Attacks against Confluence notably utilized the infamous Godzilla Web shell, further solidifying its reputation in the cybersecurity community. In addition to its initial capabilities, the attackers have continued to enhance the sophistication of the bot and its operation. This includes the introduction of an intermediary loader, known as the Godzilla Loader, and obfuscation of key elements in the binary. The payload distributed by Godzilla Loader has been used in multiple campaigns to distribute other malware like Dridex, Trickbot, and Panda Banker, indicating a high degree of adaptability and threat.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Godzilla Web Shell	3	The Godzilla Web Shell is a type of malware that has been used by threat actors to exploit vulnerabilities in systems. Malware, or malicious software, is a harmful program designed to infiltrate and damage computers or devices, often without the knowledge of the user. It can enter your system throug
Meterpreter	1	Meterpreter, a type of malware, is an attack payload of Metasploit that serves as an interactive shell, enabling threat actors to control and execute code on a system. Advanced Persistent Threat (APT) actors have created and used a variant of Metasploit (Meterpreter) on the ServiceDesk system, liste

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Loader

Webshell

Web Shell

Activemq

Payload

Vulnerability

Sudan

Botnet

Domains

Rat

Phishing

Malware

Bot

Wordpress

Exploit

Backdoor

Confluence

Ddos

Source

Apache Activ...

Apache

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
China Chopper	Unspecified	1	China Chopper is a notorious malware that has been widely used by various Advanced Persistent Threat (APT) groups, notably BRONZE UNION. This web shell was found embedded in multiple web shells on SharePoint servers, such as stylecs.aspx, test.aspx, and stylecss.aspx. It is believed to be associated
Emotet	Unspecified	1	Emotet is a highly dangerous and insidious malware that has resurfaced with increased activity this summer. Originally distributed via email attachments, it infiltrates systems often without the user's knowledge, forming botnets under the control of criminals for large-scale attacks. Once infected,
InnaputRAT	Unspecified	1	InnaputRAT is a Remote Access Trojan (RAT) malware that has been distributed by threat actors using phishing techniques and the Godzilla Loader. The malware, capable of exfiltrating files from victim machines, was identified in campaigns where it beaconed to live C2 as of March 26, 2018. The threat
graphican	Unspecified	1	Graphican is a novel malware developed by the Chinese threat actor group known as Flea, APT15, or Nickel. The malware, an evolution of the group's custom backdoor Ketrican, has been used in a series of cyber-attacks against foreign affairs ministries across Central and South America between late 202

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Anonymous Sudan	Unspecified	2	Anonymous Sudan, a threat actor group known for its malicious cyber activities, has recently been the subject of increased attention in the cybersecurity industry. This entity, which could consist of a single individual, a private company, or part of a government organization, is responsible for exe
Ethereal Panda	Unspecified	1	Ethereal Panda, also known as Flax Typhoon, is a threat actor believed to be based in China. The activities of this group strongly overlap with those reported under the aliases Flax Typhoon by Microsoft and Ethereal Panda by CrowdStrike. This correlation suggests that Ethereal Panda operates as a na

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
CVE-2021-4436	Unspecified	1	None

Source Document References

Information about the Godzilla Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
InfoSecurity-magazine	a month ago	China-Based RedJuliett Targets Taiwan in Cyber Espionage Campaign
CERT-EU	5 months ago	Technical Glitch Causes Global Disruption for Meta Users
DARKReading	5 months ago	Stealth Bomber: Atlassian Confluence Exploits Drop Web Shells In-Memory
CERT-EU	5 months ago	Apple TV+ shows and movies: What to watch on Apple TV Plus
CERT-EU	5 months ago	Hackers Exploit WordPress Plugin Flaw to Deploy Godzilla Web Shell
MITRE	a year ago	Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files \| NETSCOUT
CERT-EU	8 months ago	Apple TV+ shows and movies: What to watch on Apple TV Plus
Securityaffairs	9 months ago	After ChatGPT, Anonymous Sudan took down Cloudflare website
CERT-EU	7 months ago	Apple TV+ shows and movies: What to watch on Apple TV Plus
CISA	a year ago	MAR-10400779-1.v1 – Zimbra 1 \| CISA
Checkpoint	a year ago	Rhadamanthys: The “Everything Bagel” Infostealer - Check Point Research
CERT-EU	a year ago	The Morning After: ‘GTA VI’ hacker leaked game footage with a Fire TV Stick \| Engadget
CERT-EU	a year ago	Flea APT’s latest campaign targets foreign affairs ministries with new Graphican backdoor
CERT-EU	8 months ago	Apple TV+ shows and movies: What to watch on Apple TV Plus
CERT-EU	7 months ago	Apple TV+ shows and movies: What to watch on Apple TV Plus
CERT-EU	5 months ago	Apple TV+ shows and movies: What to watch on Apple TV Plus
CERT-EU	5 months ago	Apple TV+ shows and movies: What to watch on Apple TV Plus
DARKReading	6 months ago	Godzilla Web Shell Attacks Stomp on Critical Apache ActiveMQ Flaw
Securityaffairs	6 months ago	Threat actors exploit Apache ActiveMQ flaw to deliver the Godzilla Web Shell