{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/backdoor/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Defender","FortiGate","komari-agent"],"_cs_severities":["high"],"_cs_tags":["komari","backdoor","nssm","github","rat","reverse shell"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Fortinet","GitHub"],"content_html":"\u003cp\u003eHuntress discovered threat actors leveraging the Komari monitoring agent as a SYSTEM-level backdoor within a partner environment. Komari, a Go-based project on GitHub with over 4,000 stars, is designed as a remote-control and monitoring tool. This incident marks a publicly documented case of Komari being abused in a real-world intrusion. The attackers compromised VPN credentials to gain initial access before deploying the Komari agent as a persistent backdoor. Komari inherently functions as a command-and-control (C2) channel, with features enabled by default. The threat actor installed Komari as a Windows service named \u0026ldquo;Windows Update Service\u0026rdquo; using NSSM, directly from the official GitHub repository, which avoided the need for attacker-controlled staging infrastructure. The initial discovery occurred on April 16, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker establishes an SSLVPN session on a FortiGate device from IP address 45.153.34[.]132, authenticating as a legitimate user, [User 1].\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInternal Reconnaissance:\u003c/strong\u003e After establishing the VPN connection, the attacker\u0026rsquo;s workstation, identified as VM8514, begins enumerating the internal network from the tunnel IP 10.212.134[.]200.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e Using Impacket\u0026rsquo;s smbexec.py, the attacker enables Remote Desktop Protocol (RDP) on the target workstation, [REDACTED-WRKSTN].\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRDP Access:\u003c/strong\u003e The attacker establishes an interactive RDP session to [REDACTED-WRKSTN].\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence - Service Creation:\u003c/strong\u003e The attacker uses the Non-Sucking Service Manager (NSSM) to install the Komari agent as a persistent Windows service named \u0026ldquo;Windows Update Service\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAgent Download:\u003c/strong\u003e The Komari agent is downloaded from raw.githubusercontent[.]com/komari-monitor/komari-agent using a PowerShell one-liner executed directly on the system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control:\u003c/strong\u003e The Komari agent establishes a persistent WebSocket connection to its server, allowing the attacker to execute arbitrary commands (PowerShell/sh) and initiate interactive PTY reverse shell sessions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMaintain Access \u0026amp; Execute:\u003c/strong\u003e The attacker maintains SYSTEM-level access via the persistent Komari agent, enabling ongoing remote command execution and control over the compromised workstation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis attack demonstrates how readily available monitoring tools can be weaponized for malicious purposes. A single compromised account led to the establishment of a SYSTEM-level backdoor on a critical workstation. This could result in data exfiltration, further lateral movement within the network, and potentially ransomware deployment. Microsoft Defender quarantined an earlier registry hive dumping attempt, preventing further data compromise. The number of affected organizations is currently unknown, but any organization using the Komari agent without proper security controls is potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor FortiGate logs for SSLVPN sessions originating from suspicious IP addresses (45.153.34[.]132) and unusual ASN\u0026rsquo;s (ASN 51396) to detect potentially compromised credentials.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect Komari Agent Installation via PowerShell\u0026rdquo; to identify installations of the Komari agent.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for the execution of \u003ccode\u003enssm.exe\u003c/code\u003e installing a service named \u0026ldquo;Windows Update Service\u0026rdquo; to detect suspicious service installations.\u003c/li\u003e\n\u003cli\u003eBlock the domain raw.githubusercontent[.]com at the DNS resolver or web proxy to prevent the downloading of malicious tools and payloads.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T00:00:00Z","date_published":"2026-04-30T00:00:00Z","id":"/briefs/2026-04-komari-red/","summary":"Threat actors are abusing the Komari monitoring agent, a project hosted on GitHub, as a SYSTEM-level backdoor following initial access through compromised VPN credentials and lateral movement via Impacket.","title":"Komari Agent Abused as SYSTEM-Level Backdoor","url":"https://feed.craftedsignal.io/briefs/2026-04-komari-red/"},{"_cs_actors":["UAT-4356"],"_cs_cves":[{"cvss":9.9,"id":"CVE-2025-20333"},{"cvss":6.5,"id":"CVE-2025-20362"}],"_cs_exploited":false,"_cs_products":["Firepower eXtensible Operating System (FXOS)","ASA","FTD"],"_cs_severities":["critical"],"_cs_tags":["uat-4356","firestarter","cisco","backdoor","network","espionage"],"_cs_type":"threat","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eCisco Talos reported that UAT-4356 continues to actively target Cisco Firepower devices running the Firepower eXtensible Operating System (FXOS). In early 2024, Cisco Talos attributed the ArcaneDoor campaign to UAT-4356, a state-sponsored actor focused on gaining access to network perimeter devices for espionage. The actor exploits n-day vulnerabilities CVE-2025-20333 and CVE-2025-20362 to gain unauthorized access to vulnerable devices. Upon successful exploitation, UAT-4356 deploys a custom-built backdoor called \u0026ldquo;FIRESTARTER,\u0026rdquo; which shares technical capabilities with RayInitiator\u0026rsquo;s Stage 3 shellcode. FIRESTARTER enables remote access and the execution of arbitrary code within the LINA process, a core component of Cisco\u0026rsquo;s ASA and FTD appliances. This allows the attackers to maintain persistent access to compromised systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUAT-4356 exploits CVE-2025-20333 and/or CVE-2025-20362 on Cisco Firepower devices running FXOS to gain initial access.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates the CSP_MOUNT_LIST to establish persistence for the FIRESTARTER backdoor.\u003c/li\u003e\n\u003cli\u003eThe FIRESTARTER backdoor is written to \u003ccode\u003e/opt/cisco/platform/logs/var/log/svc_samcore.log\u003c/code\u003e and the CSP_MOUNT_LIST is updated to copy itself to \u003ccode\u003e/usr/bin/lina_cs\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAfter a graceful reboot, FIRESTARTER is executed from \u003ccode\u003e/usr/bin/lina_cs\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eFIRESTARTER restores the original CSP_MOUNT_LIST from \u003ccode\u003e/tmp/CSP_MOUNTLIST.tmp\u003c/code\u003e and removes the temporary copy and the trojanized \u003ccode\u003e/usr/bin/lina_cs\u003c/code\u003e file from disk.\u003c/li\u003e\n\u003cli\u003eFIRESTARTER reads the LINA process’ memory, searching for specific byte sequences to verify memory layout.\u003c/li\u003e\n\u003cli\u003eFIRESTARTER copies the next stage shellcode to the last 0x200 bytes of the \u0026ldquo;libstdc++.so\u0026rdquo; memory region.\u003c/li\u003e\n\u003cli\u003eThe attacker overwrites an internal data structure in the LINA process to replace a pointer to a legitimate WebVPN XML handler function with the address of the malicious shellcode. This allows execution of arbitrary shellcode received via WebVPN requests.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised Cisco Firepower devices allow UAT-4356 to gain a foothold on network perimeters for espionage. Successful exploitation and deployment of the FIRESTARTER backdoor enable attackers to execute arbitrary shellcode, potentially leading to data exfiltration, further network compromise, or disruption of services. The number of victims is currently unknown, but this campaign targets network perimeter devices, which could impact organizations across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the file integrity monitoring rule to detect the creation or modification of \u003ccode\u003e/usr/bin/lina_cs\u003c/code\u003e and \u003ccode\u003e/opt/cisco/platform/logs/var/log/svc_samcore.log\u003c/code\u003e (see \u0026ldquo;File Creation in Suspicious Directory\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eApply software upgrade recommendations outlined in Cisco\u0026rsquo;s Security Advisory to mitigate CVE-2025-20333 and CVE-2025-20362.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for WebVPN requests containing unexpected XML payloads that might be used to trigger the FIRESTARTER backdoor.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T15:11:53Z","date_published":"2026-04-23T15:11:53Z","id":"/briefs/2026-04-uat-4356-firestarter/","summary":"UAT-4356 is actively targeting Cisco Firepower devices running FXOS, exploiting CVE-2025-20333 and CVE-2025-20362 to deploy the FIRESTARTER backdoor which allows remote access and control by injecting malicious shellcode into the LINA process.","title":"UAT-4356 FIRESTARTER Backdoor Targeting Cisco Firepower Devices","url":"https://feed.craftedsignal.io/briefs/2026-04-uat-4356-firestarter/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["chrome-extension","credential-theft","backdoor","ad-injection","exfiltration"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA coordinated campaign involving 108 malicious Chrome extensions has been discovered. These extensions, distributed through five accounts (GameGen, InterAlt, SideGames, Rodeo Games, and Yana Project), are designed to steal user data, inject ads, and create backdoors. Over 20,000 users have installed these extensions. The extensions provide expected functionality to avoid suspicion, but malicious code runs in the background, communicating with a shared C\u0026amp;C infrastructure to perform nefarious activities. The extensions target various user types by masquerading as Telegram sidebar clients, slot machine and Keno games, YouTube and TikTok enhancers, a text translation tool, and page utility extensions. This campaign poses a significant threat to user privacy and system security.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUsers install malicious Chrome extensions from the Chrome Web Store, believing they are legitimate tools (e.g., Telegram clients, games, enhancers).\u003c/li\u003e\n\u003cli\u003eUpon installation, the extensions execute JavaScript code in the background.\u003c/li\u003e\n\u003cli\u003eExtensions designed for credential theft acquire Google OAuth2 Bearer tokens and exfiltrate user information (email, name, profile picture) to a remote server.\u003c/li\u003e\n\u003cli\u003eExtensions targeting Telegram steal the active Telegram Web session by overwriting local storage with attacker-supplied data and force-reloading Telegram.\u003c/li\u003e\n\u003cli\u003eSome extensions contain a backdoor that opens an arbitrary URL received from the C\u0026amp;C server in a new tab upon browser start.\u003c/li\u003e\n\u003cli\u003eOther malicious activities include injecting ads into YouTube and TikTok pages, injecting content scripts into all visited pages, or proxying translation requests through attacker-controlled servers.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to user accounts (Google, Telegram) and can inject malicious content, redirect traffic, and steal sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eOver 20,000 users have been affected by these malicious extensions. The campaign targets a broad range of users by using different categories of extensions. Successful exploitation can lead to stolen credentials, account takeover, data exfiltration, ad fraud, and the ability to inject arbitrary content into visited websites. The compromised systems could be used for further malicious activities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network connections originating from Chrome extensions for connections to unusual or suspicious domains using a network connection rule (see example rule below).\u003c/li\u003e\n\u003cli\u003eImplement strict policies for Chrome extension installations, including whitelisting approved extensions and blocking installation from untrusted sources.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect the execution of scripts from the malicious extensions to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T12:00:00Z","date_published":"2026-04-16T12:00:00Z","id":"/briefs/2026-04-chrome-extension-backdoor/","summary":"A coordinated campaign uses 108 malicious Chrome extensions to steal user data, inject ads, and establish backdoors on over 20,000 systems via a shared command-and-control infrastructure.","title":"Malicious Chrome Extensions Stealing Data and Opening Backdoors","url":"https://feed.craftedsignal.io/briefs/2026-04-chrome-extension-backdoor/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["bpfdoor","linux","backdoor","ebpf"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eBPFDoor is an evasive Linux backdoor that utilizes extended Berkeley Packet Filter (eBPF) technology to establish stealthy communication channels and maintain persistence on compromised systems. This backdoor has been observed targeting telecom networks, acting as a sleeper cell within the infrastructure. The threat leverages eBPF for its ability to operate at a low level, making detection challenging. This threat brief focuses on detecting BPFDoor through its interaction with common PID and lock files in the \u003ccode\u003e/var/run\u003c/code\u003e directory, where it attempts to masquerade as legitimate processes or services. The access of these files by unauthorized or unexpected processes can be a strong indicator of BPFDoor activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the Linux system, possibly through exploitation of a vulnerability or stolen credentials (not detailed in source).\u003c/li\u003e\n\u003cli\u003eThe attacker deploys the BPFDoor backdoor onto the compromised system.\u003c/li\u003e\n\u003cli\u003eBPFDoor establishes persistence by injecting itself into the kernel using eBPF.\u003c/li\u003e\n\u003cli\u003eBPFDoor attempts to blend in with legitimate system activity by accessing or manipulating process ID (.pid) and lock (.lock) files in the \u003ccode\u003e/var/run\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eSpecifically, BPFDoor may access files like \u003ccode\u003e/var/run/aepmonend.pid\u003c/code\u003e, \u003ccode\u003e/var/run/auditd.lock\u003c/code\u003e, \u003ccode\u003e/var/run/cma.lock\u003c/code\u003e, \u003ccode\u003e/var/run/console-kit.pid\u003c/code\u003e, \u003ccode\u003e/var/run/consolekit.pid\u003c/code\u003e, \u003ccode\u003e/var/run/daemon.pid\u003c/code\u003e, \u003ccode\u003e/var/run/hald-addon.pid\u003c/code\u003e, \u003ccode\u003e/var/run/hald-smartd.pid\u003c/code\u003e, \u003ccode\u003e/var/run/haldrund.pid\u003c/code\u003e, \u003ccode\u003e/var/run/hp-health.pid\u003c/code\u003e, \u003ccode\u003e/var/run/hpasmlit.lock\u003c/code\u003e, \u003ccode\u003e/var/run/hpasmlited.pid\u003c/code\u003e, \u003ccode\u003e/var/run/kdevrund.pid\u003c/code\u003e, \u003ccode\u003e/var/run/lldpad.lock\u003c/code\u003e, \u003ccode\u003e/var/run/mcelog.pid\u003c/code\u003e, \u003ccode\u003e/var/run/system.pid\u003c/code\u003e, \u003ccode\u003e/var/run/uvp-srv.pid\u003c/code\u003e, \u003ccode\u003e/var/run/vmtoolagt.pid\u003c/code\u003e, and \u003ccode\u003e/var/run/xinetd.lock\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThis access may involve reading, writing, or modifying these files to conceal its presence.\u003c/li\u003e\n\u003cli\u003eBPFDoor uses the eBPF-based communication channel to receive commands from a remote attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary commands on the compromised system, potentially leading to data theft, system disruption, or further lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful BPFDoor infection can lead to a persistent and stealthy backdoor on a Linux system. Given the nature of eBPF, detection is difficult, potentially allowing attackers long-term access to the system and sensitive data. Telecom networks are specifically mentioned, indicating potential disruption of critical communications infrastructure. The number of victims and specific damage caused varies per deployment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eBPFDoor Abnormal Process ID or Lock File Accessed\u003c/code\u003e to your SIEM to detect suspicious access to lock and PID files in \u003ccode\u003e/var/run\u003c/code\u003e based on auditd logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, focusing on identifying the process accessing the lock or PID file and whether it is legitimate.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to identify unusual eBPF activity.\u003c/li\u003e\n\u003cli\u003eRegularly review and update intrusion detection systems (IDS) signatures to include known BPFDoor indicators.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T11:18:05Z","date_published":"2026-04-01T11:18:05Z","id":"/briefs/2024-10-bpfdoor-lockfile-access/","summary":"BPFDoor, an evasive Linux backdoor, is detected via the unusual access of process ID and lock files in the /var/run/ directory, indicating potential malicious activity.","title":"BPFDoor Lock File Access","url":"https://feed.craftedsignal.io/briefs/2024-10-bpfdoor-lockfile-access/"}],"language":"en","title":"CraftedSignal Threat Feed — Backdoor","version":"https://jsonfeed.org/version/1.1"}