The ASPXSpy Malware is a Web shell written in ASPX, as its name suggests, that is used by threat actors as a backdoor payload. The script allows the attackers to gain control over the compromised Windows server. Afterward, ASPXSpy may be used to fetch, install, and execute additional malware payloads on the infected system. The next-stage payloads can range in functionality and potency, depending on the specific goals of the threat actor. They may include other mid-stage dropper or downloader Trojans, as well as keylogging scripts designed to obtain the user's information such as account credentials or banking and debit/credit card details. Backdoor Trojans such as ASPXSpy also may open specific ports on the breached system, potentially exposing it to further security risks.
ASPXSpy has been seen as part of the harmful operations of multiple hackers and APT (Advanced Persistent Threat) groups who often create their own versions of the backdoor. Among them are Threat Group-3390, Night Dragon, APT41, APT39 and HAFNIUM. A newly designated ATP group named Agrius that is believed to have ties to Iran has also been detected to use web shells based on ASPXSpy as part of a series of attacks against Israeli targets.