Prophet Spider Exploits Citrix ShareFile to Deploy Webshell

Photo by Rafael Garcin on Unsplash
Graph of Prophet Spider’s used Infrastructure


Prophet Spider, like other Spider groups, is an eCriminal adversary group. Campaigns from this group have been observed as early as May 2017. This group focuses on compromising external and vulnerable web services. They are well known to abuse known public vulnerabilities, particularly those with an existing Proof-of-Concept. They have been observed exploiting recent and old vulnerabilities and have used SQL injection attacks. Their targets include Linux and Windows systems.


In the most recently observed campaigns, attempts to exploit Citrix ShareFile (CVE-2021–22941) were observed. Organizations can remediate this vulnerability by updating their Citrix ShareFile storage zone controller to 5.11.20 or later.

Graph Generated by chandanbn’s cvss Score Calculator


This group does not seem to maintain its own ransomware nor is it an affiliate member of another Ransomware-as-a-Service (RaaS) as far as we can tell. However, it has been observed that compromises by this group have lead to ransomware attacks in the past. Egregor and MountLocker ransomware are two such malware that compromises from this group have resulted in.

Tactical Intelligence

Tools, Tactics, and Techniques

1. Open Source WebShell: https[:]//raw.githubusercontent[.]com/antonioCoco/ConPtyShell/master/Invoke-ConPtyShell.ps1
2. Wget
3. Winn.exe
4. GOTROJ remote access trojan


Indicators of Attack:

188.119.149[.]160 [attacking exploit]

Indicators of Compromise:

45.61.136[.]39:443 [file hosting]

Possible Mitigation Steps to Consider:

  • Consider reviewing for activity from provided IP address (note that these IPs have been used in campaigns prior to the observed ShareFile exploitation, so historical connections could be related to other adversaries)
  • Consider monitoring for wget commands pulling files from githubusercontent
  • Ensure patches for CVE-2020–14750, CVE-2020–14882, CVE-2021–26084, CVE-2021–22941 are applied.
  • The adversary used a burpcollaborator[.]net token. This is a part of BurpSuite and, while not malicious, may be unexpected in your environment which may provide additional detection/disruption opportunities.
  • The adversary will continue to evolve their list of used exploits, quick patching reduces future risk of compromise from this adversary and groups like them.


Special thanks to Mike Manrod and Jorge Trevino for contributions, collaboration, and editing.

References and Additional Resources



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Christian Taillon

A cyber nerd who believes that you don’t have to work at the same company to be on the same team.