The attackers used a custom JAR web shell - labeled “VersaMem” by Black Lotus Labs - that employs Java instrumentation and Javassist to inject code into the Tomcat web server process memory ...
It's believed that the threat actors may have been testing the web shell in the wild on non-U.S. victims before deploying it to U.S. targets. The web shell "leverages Java instrumentation and ...