What is /alfacgiapi/perl.alfa?

Created 17th August 2023
Updated 20th May 2024

A webshell and hijacking package created by "ALFA TEaM" (aliased with "Solevisible", "Sole Sad & Invisible") which was published publicly. I've mainly seen it compromising weak Wordpress installations.

The deployed package has evolved over the years and involves several files including perl.alfa. It appears that the current public version is v4.1. It features a variety of tooling including database dumping, compression tools, and config scanners.

Some organizations and researchers attribute the team to APT-33, an Iranian group targeting the Middle East and aerospace actors but the sources for this are scant.

There are also a number of companies trading with the Alfahost moniker. These companies may provide shell based access to customers. Recon scans may be trying to find misconfigured shells from these providers. I would expect this to be unlikely compared to the documentated activities above.

---

References

1. BDLeet. (n.d.). Public Shell Repository. Retrieved August 15, 2023, from https://github.com/BDLeet/public-shell/tree/master
2. PhenaxGod. (n.d.). Alfa Shell Repository. Retrieved August 15, 2023, from https://github.com/PhenaxGod/Alfa-Shell/tree/main
3. Packet Storm Security. (n.d.). Alfa Team Shell Tesla 4.1 Remote Code Execution. Retrieved August 15, 2023, from https://packetstormsecurity.com/files/165366/Alfa-Team-Shell-Tesla-4.1-Remote-Code-Execution.html
4. nicxlau. (n.d.). ALFA Shell GitHub Repository. Retrieved August 15, 2023, from https://github.com/nicxlau/alfa-shell

---

Other known request paths

1. /alfacgiapi/perl.alfa
2. /ALFA_DATA/alfacgiapi/perl.alfa
3. /alfanew.php7
4. /wp-content/alfa.php
5. /alfaindex.php
6. /wp-admin/alfa.php
7. /alfa-rex.php7
8. /index.php?action=wp-admin&file=alfa
9. /wp-includes/pomo/alfa.php
10. /ALFA_DATA/alfacgiapi/ups.php