Over 4K active hacker backdoors found in expiring or abandoned domains

Over 4K active hacker backdoors found in expiring or abandoned domains

Security researchers discovered and hijacked over 4,000 unique web backdoors that had been deployed by various threat actors. The backdoors, which had been abandoned or were reliant on expired infrastructure, were seized and sinkholed by WatchTowr Labs through the purchase and registration of over 40 domain names that these backdoors used for command-and-control (C2) communications. The firm managed to gain control of the compromised systems for as little as $20 per domain.

The backdoors, which are essentially web shells designed to maintain persistent remote access to target networks, varied significantly in scope and functionality. Some of the backdoors were relatively simple, capable of executing attacker-provided commands via PHP-based tools like c99shell and r57shell, while other tools such as China Chopper were more sophisticated. The latter is a web shell associated with Chinese state-backed hacker groups.

Across those 4000 unique and live backdoors, some systems belonged to government entities in Bangladesh, China, and Nigeria, as well as academic institutions across China, South Korea, and Thailand.

The researchers said that several of the web shells had been backdoored by their original maintainers, inadvertently leaking critical information about the locations and entities where they had been deployed. This allowed other threat actors to hijack the backdoors and further use them for their own purposes.


Back to the list

Latest Posts

Four key distributors of encrypted communications service Sky ECC arrested in Spain and Netherlands

Four key distributors of encrypted communications service Sky ECC arrested in Spain and Netherlands

The two men arrested in Spain are accused of overseeing the global distribution of Sky ECC devices and software.
12 February 2025
Sandworm APT targets Ukraine with trojanized Microsoft KMS activation tools

Sandworm APT targets Ukraine with trojanized Microsoft KMS activation tools

The attackers utilized a BACKORDER loader to deploy DarkCrystal RAT.
12 February 2025
North Korean Kimsuky adopted a new tactic to infiltrate targets

North Korean Kimsuky adopted a new tactic to infiltrate targets

The new tactic involves the threat actor tricking individuals into executing PowerShell commands as administrators.
12 February 2025