Godzilla Reflection AES Plugin with Data‑Flow Break: A Webshell Generator that Evades Detection

Tool Overview

VeilShell combines a Godzilla‑based reflection AES encryptor with a PHP webshell that uses AES encryption, gzdeflate compression, and a Data‑Flow Break technique to disguise communication.

Evasion Evaluation

The payload was fine‑tuned on a 30 000‑sample webshell dataset using the Qwen2‑0.5B‑Instruct model. After fine‑tuning, the small model did not flag the payload, and the payload evaded detection by the Changting and Alibaba webshell scanners as well as VirusTotal.

Test metrics: {'test_loss': 0.08689013123512268, 'test_accuracy': 0.973571192599934, 'test_f1': 0.9750623441396509, 'test_precision': 0.993015873015873, 'test_recall': 0.9577464788732394, 'test_runtime': 71.2095, 'test_samples_per_second': 42.508, 'test_steps_per_second': 2.668, 'epoch': 1.0}

Scanner Results

Detection outcomes for Changting, Alibaba and VirusTotal are shown in the following images.

Dataset Reference

The full training set is hosted at https://huggingface.co/datasets/nbuser32/PHP-Webshell-Dataset.

Connection Details

Normal connection environment screenshots are provided.

POST Example

An example POST request is illustrated.

Acquisition

Repository: https://github.com/e1arth/Godzilla_bypass_webshell