The 87 signatures: A deep dive into PHP malware

When you know what malware looks like, you can find it. That’s the premise behind signature-based detection - the foundation of every security scanner.

This chapter documents 87 unique malware signatures targeting PHP and Laravel applications. Each one represents a pattern that, when found in your codebase, indicates potential compromise.

How we built this database

Our signature database wasn’t created in a day. It’s the result of synthesizing research from multiple sources:

AI Research Models

Unique Signatures

Webshell Families

We synthesized research from 5 leading AI models, combined with established industry sources—Neo23x0/YARA rules, JAMSS, Akamai reports. Each model contributed unique perspectives across different threat categories, from evasion techniques to zero-day vulnerabilities.

But methodology is only half the story.

The real value comes from what CAN’T be easily replicated:

Validated on real incidents — every signature tested against malware actually found in clipcraft.ro and cetatean.ro
Zero false positives — rigorous verification on fresh Laravel installations (11 and 12)
Continuous updates — our scanner automates this research process, constantly
Human curation — every pattern goes through Red Team review before publication

Every pattern has been validated with preg_match() and tested extensively to eliminate false alerts.

Understanding signature categories

Not all signatures are equal. We categorize them by severity and confidence:

Category	Confidence	Action	Count
Critical	>95%	Auto-quarantine	28
High	80-95%	Alert + Review	18
Medium	50-80%	Needs Context	14
Suspicious	<50%	Informational	6
AI Polymorphism	Variable	Special Handling	3

ℹ️

Confidence Scoring

Confidence indicates how likely a match represents actual malware vs. legitimate code. A 99% confidence signature means false positives are extremely rare. Lower confidence signatures require human review.

Critical signatures (28 patterns)

These are the most dangerous patterns - code that is almost never legitimate and should trigger immediate action.

Direct Code Execution

The most obvious malware patterns involve executing arbitrary code:

SIG-C001 CRITICAL

eval_base64_decode

Code Execution

eval(base64_decode(...)) - Classic payload execution. Decodes hidden code and runs it. Confidence: 98% | False positives: Extremely rare

SIG-C002 CRITICAL

eval_gzinflate

Code Execution

eval(gzinflate(...)) - Compressed payload execution. Unpacks and runs hidden code. Confidence: 98%

SIG-C003 CRITICAL

eval_user_input

Webshell

eval($_GET/POST/REQUEST) - Direct execution of user input. Classic webshell indicator. Confidence: 99% | MITRE ATT&CK: T1505.003

Pattern Examples MALICIOUS CODE

// SIG-C001: eval + base64_decode
eval(base64_decode('ZWNobyAnaGFja2VkJzs='));

// SIG-C002: eval + gzinflate
eval(gzinflate(base64_decode('...')));

// SIG-C003: eval with user input (WEBSHELL!)
eval($_POST['cmd']);

System Command Injection

When attackers want shell access:

SIG-C010 CRITICAL

shell_exec_user_input

OS Command

shell_exec($_GET/POST) - Direct OS command injection from user input. Confidence: 99% | MITRE ATT&CK: T1059.004

SIG-C011 CRITICAL

system_user_input

OS Command

system($_GET/POST) - Executes system command with user input. Confidence: 99%

SIG-C012 CRITICAL

passthru_user_input

OS Command

passthru($_GET/POST) - Raw output command execution. Confidence: 99%

SIG-C013 CRITICAL

exec_user_input

OS Command

exec($_GET/POST) - Execute external program with user input. Confidence: 99%

SIG-C014 CRITICAL

proc_open_user_input

OS Command

proc_open($_GET/POST) - Process control with user input. Confidence: 99%

SIG-C015 CRITICAL

popen_user_input

OS Command

popen($_GET/POST) - Opens process file pointer with user input. Confidence: 99%

DeepSeek Zero-Day Patterns (2026)

These patterns were discovered through AI research and represent emerging threats:

SIG-DS003 CRITICAL

variable_function_call_superglobal

Polymorphic

$var($_GET/POST) - Variable function call with user input. Polymorphic execution technique. Confidence: 97% | Bypass Resistance: High

SIG-DS004 CRITICAL

devshm_php_file

Fileless

PHP file path in /dev/shm/ - Fileless persistence in RAM. Survives file-based scans. Confidence: 99% | Technique: Fileless malware

SIG-DS005 CRITICAL

devshm_write

Fileless

file_put_contents('/dev/shm/...') - Writing to RAM-based filesystem. Staging for fileless malware. Confidence: 99% | Technique: Fileless malware

SIG-DS006 CRITICAL

eval_variable_indirect

Obfuscation

eval($variable) - Indirect execution through variable. Common in AI-generated malware. Confidence: 90% | Note: Check context for false positives

💀

Laravel-Specific RCE Patterns

The following two patterns specifically target Laravel applications by abusing the encryption system. If your APP_KEY is compromised, these become exploitable.

SIG-DS007 CRITICAL

laravel_decrypt_user_input

Laravel RCE

decrypt($_GET/POST) - Laravel decrypt() with user input. Enables deserialization RCE if APP_KEY is leaked. Confidence: 98% | Laravel Specific

SIG-DS008 CRITICAL

unserialize_decrypt_chain

Laravel RCE

unserialize(decrypt(...)) - Gadget chain attack. Deserializes attacker-controlled data. Confidence: 99% | Laravel Specific

Laravel-Specific Attack Patterns MALICIOUS CODE

// SIG-DS007: Laravel decrypt with user input
$data = decrypt($_POST['payload']);  // CRITICAL if APP_KEY leaked

// SIG-DS008: Gadget chain attack
$obj = unserialize(decrypt($_REQUEST['data'])); // RCE via phpggc chains

Additional Critical Patterns

SIG-C004 CRITICAL

assert_dynamic

Code Execution

assert($var) or assert(base64...) - assert() with dynamic input executes code. Confidence: 95%

SIG-C005 CRITICAL

create_function_deprecated

Code Execution

create_function('', $_...) - Deprecated function that uses eval() internally. Confidence: 97% | Source: GPT-4 AST Analysis

SIG-C006 CRITICAL

preg_replace_e_modifier

Code Execution

preg_replace('/.../e', ...) - The /e modifier executes replacement as PHP code. Confidence: 99% | Note: Removed in PHP 7.0, but still seen in legacy systems

The 7 webshell families

Webshells are the malware we encounter most often. These are complete backdoor toolkits that give attackers full control of your server.

WSO (Web Shell by Orb)

SIG-WS002 CRITICAL

wso_shell

Webshell Family

Markers: WSO_VERSION, FilesMan, w_s_o_root Confidence: 99%

Attribute	Details
First Seen	2010
Last Updated	2021 (WSO-NG)
Aliases	WSO 2.1, WSO-NG, WSO Mini, FilesMan
Description	The most popular feature-rich PHP webshell. Includes file manager, database client, command execution, and self-update capabilities.

China Chopper

SIG-WS001 CRITICAL

china_chopper

Webshell Family

Pattern: @eval($_POST['password']); Confidence: 99% | MITRE ATT&CK: T1505.003

Attribute	Details
First Seen	2012
Aliases	caidao, C knife
Size	~4KB
Description	Compact APT backdoor used by Chinese threat actors. Extremely small footprint makes it easy to miss. One-liner server component with full-featured client.

China Chopper Minimal Form MALICIOUS CODE

<?php @eval($_POST['pass']); ?>

🚨

4KB of Destruction

China Chopper’s server component is often just ONE LINE of code. That single line provides: file management, command execution, database access, and network pivoting - all controlled by a Windows GUI client.

B374K Shell

SIG-WS004 CRITICAL

b374k_shell

Webshell Family

Markers: b374k, b374k r3c0d3d Confidence: 99%

Attribute	Details
First Seen	2014
Aliases	b374k 2.x, b374k 3.x
Description	Modern webshell with password protection, theme support, and modular architecture. Known for its clean UI and extensive features.

C99 Shell

SIG-WS003 CRITICAL

c99_shell

Webshell Family

Markers: c99sh_surl, c99shell, c99_buff_prepare Confidence: 99%

Attribute	Details
First Seen	2008
Description	Extended WSO variant with self-delete capabilities, FTP brute force, and encoding tools. Often found with additional payloads.

R57 Shell

SIG-WS007 CRITICAL

r57_shell

Webshell Family

Markers: r57shell, r57_pwd Confidence: 99%

Attribute	Details
First Seen	2006
Description	One of the oldest webshells still found in the wild. Classic design, still maintained by various groups.

ALFA Shell

SIG-WS005 CRITICAL

alfa_shell

Webshell Family

Markers: ALFA_DATA, AlfaTeam, Alfa Shell Confidence: 99%

Attribute	Details
First Seen	2018
Description	Modern underground webshell with advanced features. Popular in Eastern European cybercrime forums.

IndoXploit

SIG-WS006 CRITICAL

indoxploit_shell

Webshell Family

Markers: IndoXploit, IDX_Config Confidence: 99%

Attribute	Details
First Seen	2016
Description	Mass defacement webshell targeting Linux servers. Often used for website vandalism campaigns.

High severity signatures (18 patterns)

These patterns have 80-95% confidence - they’re often malicious but may have legitimate uses in specific contexts.

Obfuscation Patterns

SIG-H001 HIGH

hex_obfuscation_chain

Obfuscation

3+ consecutive hex escape sequences (\x48\x65\x6c\x6c\x6f). Confidence: 85%

SIG-H002 HIGH

chr_concatenation

Obfuscation

5+ consecutive chr() calls concatenated: chr(72).chr(101).chr(108)... Confidence: 90%

SIG-H003 HIGH

str_rot13_execution

Obfuscation

eval(str_rot13(...)) or similar - ROT13 with code execution. Confidence: 92%

SIG-H004 HIGH

multi_layer_decode

Obfuscation

2+ decoding functions chained: eval(gzuncompress(base64_decode(...))) Confidence: 88% | Source: JAMSS signatures

Obfuscation Examples MALICIOUS CODE

// SIG-H001: Hex obfuscation
$cmd = "\x73\x79\x73\x74\x65\x6d";  // "system"

// SIG-H002: chr() chain
$func = chr(115).chr(121).chr(115).chr(116).chr(101).chr(109);

// SIG-H004: Multi-layer decode
eval(gzuncompress(base64_decode(str_rot13('...'))));

Polymorphic Patterns (DeepSeek 2026)

SIG-DS001 HIGH

base64_decode_any

Polymorphic

base64_decode('...') with 20+ char string - Catches padding-stripped base64. Confidence: 85% | Note: May match legitimate encoded data

SIG-DS002 HIGH

polymorphic_function_build

Polymorphic

String concatenation building function name: $f = 'sys'.'tem'; Confidence: 82% | Example: $f = "sys"."tem"; $f($cmd);

SIG-H010 HIGH

variable_function_generic

Polymorphic

Generic variable function call: $func($arg) Confidence: 80% | Note: Common in frameworks, needs context

Callback Function Abuse

SIG-H020 HIGH

callback_dangerous_input

Callback Abuse

array_map, array_filter, call_user_func with suspicious callbacks. Confidence: 88%

SIG-H021 HIGH

usort_callback_abuse

Callback Abuse

usort($arr, 'system') - Sorting functions with dangerous callbacks. Confidence: 95% | Source: GPT-4 AST Analysis

Callback Abuse Examples MALICIOUS CODE

// SIG-H020: array_map with dangerous callback
array_map($_GET['func'], $data);

// SIG-H021: usort callback abuse
usort($arr, 'system'); // Calls system() on array elements!

File Operation Patterns

SIG-H030 HIGH

include_dynamic_path

File Include

include($variable) - Dynamic path in include statement. Confidence: 82% | Source: GPT-4 AST Analysis

SIG-H031 HIGH

require_user_input

File Include

require($_GET/POST) - Direct LFI/RFI vector. Confidence: 98%

SIG-H032 HIGH

include_remote_url

File Include

include('http://...') - Remote file inclusion. Confidence: 95%

Reflection API Abuse

SIG-H040 HIGH

reflection_invoke

Reflection

->invoke() or ->invokeArgs() calls - Potential function bypass. Confidence: 75% | Note: Common in DI containers, check context

SIG-H041 HIGH

reflection_function_dangerous

Reflection

new ReflectionFunction('system') - Reflection with dangerous function. Confidence: 95%

Other High Severity

SIG-H050 HIGH

openssl_decrypt_header_key

Encryption

openssl_decrypt() with key from HTTP header - Hidden command channel. Confidence: 95%

SIG-H060 HIGH

function_comment_bypass

WAF Bypass

eval/*comment*/() - Comment injection to bypass WAF signatures. Confidence: 92%

Medium severity signatures (14 patterns)

These require context analysis to determine if they’re malicious:

File Operations with User Input

SIG-M001 MEDIUM

file_put_contents_user_input

File Write

file_put_contents(..., $_GET/POST) - Writing user input to file. Confidence: 75%

SIG-M002 MEDIUM

fwrite_user_input

File Write

fwrite(..., $_GET/POST) - Writing user input with fwrite(). Confidence: 75%

SIG-M003 MEDIUM

move_uploaded_file

File Upload

move_uploaded_file($_FILES...) - Check validation is in place. Confidence: 50% | Often legitimate

Long Encoded Strings

SIG-M010 MEDIUM

long_base64_string

Encoded Data

Base64 string with 500+ characters in source code. Confidence: 65%

SIG-M011 MEDIUM

gzinflate_long_string

Encoded Data

gzinflate() with long encoded string (200+ chars). Confidence: 70%

Anonymous Functions

SIG-M020 MEDIUM

closure_immediate_invoke

Anonymous

IIFE (Immediately Invoked Function Expression) containing dangerous functions. Confidence: 85%

SIG-M021 MEDIUM

anonymous_class_shell_exec

Anonymous

Anonymous class with command execution methods. Confidence: 88% | Source: GPT-4 AST Analysis

Superglobals in Unusual Context

SIG-M030 MEDIUM

http_header_access

Superglobal

$_SERVER['HTTP_*'] - Custom HTTP header access. Confidence: 50% | Often legitimate for APIs

SIG-M031 MEDIUM

php_input_stream

Superglobal

php://input access - Raw POST data. Confidence: 55% | Common in JSON APIs

SIG-M032 MEDIUM

cookie_in_dangerous_context

Superglobal

$_COOKIE used with eval/system/exec. Confidence: 92%

String Obfuscation

SIG-M040 MEDIUM

string_concat_long

Obfuscation

8+ string parts concatenated. Confidence: 70%

SIG-M041 MEDIUM

strrev_function_name

Obfuscation

strrev('metsys') - Reversing dangerous function names. Confidence: 90%

Suspicious/informational patterns (6 patterns)

Low confidence patterns that may indicate issues but are often legitimate:

ID	Pattern	Description	Confidence
SIG-S001	base64_decode_generic	Any `base64_decode()` usage	30%
SIG-S002	unserialize_generic	Any `unserialize()` usage	40%
SIG-S003	eval_generic	Any `eval()` usage	45%
SIG-S004	self_delete	`unlink(__FILE__)` - Self-deleting file	75%
SIG-S005	disabled_error_reporting	`error_reporting(0)`	35%
SIG-S006	ini_set_display_errors	Display errors disabled	30%

ℹ️

Don't Auto-Flag These

Suspicious patterns shouldn’t trigger automatic alerts. They’re useful as additional indicators when combined with other findings. A file with base64_decode() is usually fine. A file with base64_decode() AND eval() AND error_reporting(0) is suspicious.

AI polymorphism patterns (2026)

Modern attackers use AI to generate polymorphic malware - code that restructures itself to evade signature detection:

SIG-AI001 HIGH

dynamic_string_array_build

AI Polymorphism

Array building with short encoded chunks. AI generates unique chunk sequences. Confidence: 80% | Technique: Chunked payload

SIG-AI002 CRITICAL

implode_eval_chain

AI Polymorphism

eval(implode('', $array)) - Reconstructs payload from chunks. Confidence: 95% | Technique: Chunked payload

SIG-AI003 MEDIUM

dynamic_class_instantiation

AI Polymorphism

new $className() - Dynamic class instantiation. Confidence: 65% | Note: Common in factory patterns

AI-Generated Polymorphic Pattern MALICIOUS CODE

// SIG-AI001 + SIG-AI002: Chunked payload
$chunks = [];
$chunks[] = 'ZXZh';  // AI generates unique chunk order
$chunks[] = 'bCgk';
$chunks[] = 'X1BP';
$chunks[] = 'U1Rb';
$chunks[] = 'J2NtZCddKTs=';

// Reconstruct and execute
eval(base64_decode(implode('', $chunks)));

💀

Why Signatures Fail Against AI Malware

AI-generated malware changes structure every 15-60 seconds. Each instance has unique variable names, chunk orders, and obfuscation layers. Traditional signatures cannot keep up. This is why we need behavioral analysis (Chapter 5) and entropy detection.

Obfuscation indicators

These aren’t standalone signatures, but scoring modifiers that increase confidence when combined with other patterns:

Indicator	Pattern	Score Modifier	Threshold
hex_encoded	`\x48\x65\x6c...`	+0.30	3+ sequences
long_base64	500+ char base64 string	+0.40	-
chr_chain	`chr(72).chr(101)...`	+0.35	5+ calls
string_concat_extreme	10+ concat parts	+0.45	-
variable_variables	`${$var}`	+0.25	-
octal_encoding	`\110\145\154...`	+0.30	3+ sequences

Example Scoring:

File: suspicious.php
- Match: SIG-M011 (gzinflate_long_string) = 0.70 base confidence
- Indicator: long_base64 = +0.40
- Indicator: hex_encoded = +0.30
- Final confidence: 0.70 + 0.40 + 0.30 = 1.00 (capped at 0.99)
- Result: CRITICAL - Quarantine

Using these signatures

For Manual Review

Search your codebase for critical patterns:

# Search for eval+base64 pattern
grep -rn "eval.*base64_decode" --include="*.php" .

# Search for webshell markers
grep -rn "WSO_VERSION\|FilesMan\|c99shell\|b374k" --include="*.php" .

# Search for user input in dangerous functions
grep -rn "eval.*\$_\(GET\|POST\|REQUEST\)" --include="*.php" .

For Automated Scanning

These signatures are designed for regex-based scanning:

$signatures = [
    'critical' => [
        'eval_base64' => '/eval\s*\(\s*base64_decode\s*\(/i',
        'china_chopper' => '/@?eval\s*\(\s*\$_POST\s*\[/i',
        // ... more patterns
    ]
];

foreach ($files as $file) {
    $content = file_get_contents($file);
    foreach ($signatures['critical'] as $name => $pattern) {
        if (preg_match($pattern, $content)) {
            alert("CRITICAL: {$name} found in {$file}");
        }
    }
}

False Positive Management

Not every match is malware. Apply context modifiers:

Context	Score Modifier	Reason
`vendor/`	-0.40	Third-party code
`storage/framework/views/`	-0.50	Compiled Blade templates
`bootstrap/cache/`	-0.45	Framework cache
`tests/`	-0.30	Test fixtures

Summary

We’ve covered 87 signatures across multiple categories:

Critical Patterns

High Severity

Medium (Context)

Suspicious/Info

Key takeaways:

Critical signatures (eval+base64, webshell markers, user input in dangerous functions) should trigger immediate action
High severity patterns need human review but are often malicious
Medium/Suspicious patterns are context-dependent - look for combinations
AI polymorphism is changing the game - signatures alone aren’t enough
Context modifiers prevent false positives in vendor code and framework directories

Next: Chapter 5 - Beyond Signatures: How Modern Malware Evades Detection

Signatures catch known threats, but what about unknown ones? In the next chapter, we’ll explore entropy analysis, behavioral detection, and the techniques modern malware uses to evade traditional scanners.