APT groups are using HrServ web shells to hack Windows systems. These web shells allow unauthorized access and control, enabling hackers to steal data and launch further attacks. The web shell "hrserv.dll" has advanced features like custom encoding and in-memory execution. Security analysts have also found similar variants from 2021, suggesting a connection to malicious activity. The HrServ web shell registers a service handler and launches an HTTP server using custom encoding. Commands can be executed based on HTTP requests, and the DLL leverages the NID cookie. Variants of HrServ have been found in 2021 using custom encoding, and they erase traces by deleting initial files and registry tweaks. The TTPs of these attacks have not been attributed to any known threat actors. A government entity in Afghanistan has been identified as a victim. #CyberSecurity #CyberSecurityNews #Malware

https://cybersecuritynews.com/apt-groups-using-hrserv-web-shell/