Godzilla
Start Date: 2025
Most Recent Activity: 2025
Executive Summary
Godzilla is a stealth-focused webshell management framework widely used fors maintaining persistent access to compromised web servers. It supports multiple server-side languages and enables attackers to execute commands, transfer files, deploy additional payloads, and control compromised infrastructure through an encrypted client-server interface.
Overview
Description
Type: Webshell / Post-Exploitation Framework
Delivery:
Upload vulnerabilities, exploited web applications, compromised administrator panels
Capabilities:
Remote command execution, file management, plugin-based modules, encrypted C2 communication
Notable Characteristics:
Supports multiple server-side implementations including PHP, JSP, ASP.NET, and Java. Godzilla often uses encrypted communication between the webshell and the operator client to evade detection and signature-based defenses.
Attack Flow
Flow
Initial Access → Web Application Exploit → Webshell Upload → Remote Control → Lateral Movement
- Exploit vulnerability in web application or upload endpoint
- Upload Godzilla webshell to server
- Establish encrypted communication between client and webshell
- Execute commands and manage files on the compromised server
- Deploy additional tools or pivot deeper into the network
MITRE ATT&CK Techniques
MITRE ATT&CK
Mitigations
Mitigations
- Web Application Security: Implement strict file upload validation and block executable uploads
- Patch Management: Regularly patch web frameworks and exposed services
- Network Monitoring: Detect unusual outbound connections from web servers
- Endpoint Protection: Monitor web directories for unauthorized file modifications
Detections
Detection Rules
| Rule | View | Download |
|---|---|---|
| Suricata | N/A | N/A |
| SPL | N/A | N/A |