WEBC2 is a backdoor used by APT1 to retrieve a Web page from a predetermined C2 server. The WEBC2-DIV is malicious software often use to gather intelligence via phishing e-mail, login credential, backdoor, or remote trojan. (https://attack.mitre.org/wiki/Software/S0109)

The WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands.  The WEBC2-DIV variant searches for the strings "div safe:" and " balance" to delimit encoded C2 information. If the decoded string begins with the letter "J" the malware will parse additional arguments in the decoded string to specify the sleep interval to use.  WEBC2-DIV is capable of downloading a file, downloading and executing a file, or sleeping a specified interval.

source 34:

http://contagiodump.blogspot.com/2013/03/mandiant-apt1-samples-categorized-by.html