During the intrusion analysis of DeftTorero’s webshells, researchers noted traces suggesting that the threat actor exploited a file upload form and/or a command injection flaw in a functional or staging website hosted on the target web server.