PHP – Fully Undetectable Web Shell

Today, i wanna try to create a simple undetected (hopefully FUD) web shell backdoor. I am using VirusTotal (yes, i want them to check my file, lol..).

So, what is FUD?

Fully undetectable (usually shortened as “FUD”) can stand for data that had been encrypted, making it appear to be random noise. It can also stand for software that cannot be detected by anti-viruses when a scan is performed. The term is used in hacker circles to refer to something that appears to be clean to many anti-viruses, even though it is a hacking tool.
Source :

Here is my simple (actually primary) shell without any obfuscation :

and here is the VirusTotal result :

Simple Shell



Now we can see, my web shell was detected by Avast, AVware and Bkav.

Lets try to obfuscate the shell.

Obfucated web shell


And here is the VirusTotal result :

FUD web shell



Please Donate To Bitcoin Address: [[address]]

Donation of [[value]] BTC Received. Thank You.

Leave a Reply

Your email address will not be published. Required fields are marked *