Student Sells Hacked Sites: Beima Web Shell Undetectable, Targets .Gov & .Edu
Researchers from Howler Cell have detailed an underground marketplace for compromised websites operated by students and freelancers across Asia. At the center of their latest report is a cybersecurity student from Bangladesh who aspires to work on a red team, yet finances his studies by selling access to compromised sites. To do so, he employs Beima—a PHP backdoor undetectable by antivirus solutions—and a botnet control panel, with his primary customers hailing from China, Indonesia, and Malaysia.
According to Howler Cell, the student purchases or independently discovers vulnerable WordPress and cPanel sites suffering from configuration flaws, adds them to his control panel, and then advertises access to them via Telegram. Ordinary sites sell for USD 3–4, while resources in .edu and .gov domains command prices around USD 200. Given Bangladesh’s median monthly salary of roughly USD 220, this scheme becomes a highly profitable enterprise for an aspiring hacker—and for other freelancers working under the same model.
Researchers identified approximately 5,200 sites advertised for sale in associated Telegram channels. Most of the compromised resources are located in Asia, though victims span Europe, North and South America, Africa, and Oceania. Sectoral distribution shows a pronounced concentration in education and government, which together account for 76 percent of all listings. The authors refrain from publishing specific domains and stress that they did not individually verify each listing, yet among the offerings were major universities, law enforcement agencies, military organizations, courts, and offices of attorneys general. The real-world consequences of compromising such infrastructure would vary depending on how buyers choose to exploit their newly purchased footholds.
The technical core of the campaign is the PHP web shell Beima. According to Howler Cell, this backdoor remained entirely undetected on VirusTotal from 9 May 2024 through at least November 2025. It is typically uploaded as style.php, accepts only encrypted commands, and uses an embedded RSA private key to decrypt them. Through this interface, attackers can execute arbitrary code, upload or alter files, inject their own code into index pages, replace site content, establish persistence in random directories, and leverage compromised servers as botnet nodes or proxy points for reconnaissance and follow-on attacks.
Communication with the web shell revolves around JSON structures and a dedicated control panel hosted at tool.zjtool[.]top. The interface, entirely in Chinese, mirrors the functions embedded within the shell’s code—such as doBeima, doLock, and doStyle. From this panel, operators upload target lists, deploy additional payloads, and run enumeration scripts that scour websites for credentials, cloud access keys, configuration and backup files, business-analytics data, and other sensitive information.
Howler Cell notes that in some cases the offerings were not compromised sites but merely misconfigured ones vulnerable to the same Beima infection flow. Buyers would pay for a list of such domains and carry out the exploitation themselves, lowering the barrier to entry even further for newcomers to cybercrime.
The researchers describe this ecosystem as part of a broader crowdsourced model of cybercriminal activity. In it, dispersed actors—often students and young specialists from Bangladesh, China, Indonesia, Malaysia, and neighboring countries—supply more organized groups with fresh footholds for attacks for relatively small sums by global standards. Telegram serves as the principal marketplace for finding clients, validating breaches, and handling transactions, while cryptocurrencies such as Bitcoin provide anonymity and ease of payment.
For WordPress and cPanel site owners, the authors urge that these findings be treated as a prompt to reassess fundamental security hygiene. Chief priorities include properly configuring file and directory permissions, removing unnecessary plugins and themes, keeping engines and components updated, enabling multi-factor authentication for administrators, restricting access to control panels, and regularly reviewing logs. Additional indicators of compromise include suspicious PHP files in unusual directories, outbound connections to tool.zjtool[.]top, and the presence of strings such as doBeima, doLock, or doStyle within code—hallmarks of the Beima web shell.
In Howler Cell’s assessment, this campaign not only illustrates the remarkable persistence of a single backdoor but also vividly demonstrates how relatively simple administrative oversights and a low barrier of entry for freelancers fuel a resilient, decentralized criminal ecosystem built atop compromised websites.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
