https://feed.craftedsignal.io/tags/backdoor/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 30 Apr 2026 00:00:00 +0000https://feed.craftedsignal.io/briefs/2026-04-komari-red/Thu, 30 Apr 2026 00:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-komari-red/Threat actors are abusing the Komari monitoring agent, a project hosted on GitHub, as a SYSTEM-level backdoor following initial access through compromised VPN credentials and lateral movement via Impacket.Huntress discovered threat actors leveraging the Komari monitoring agent as a SYSTEM-level backdoor within a partner environment. Komari, a Go-based project on GitHub with over 4,000 stars, is designed as a remote-control and monitoring tool. This incident marks a publicly documented case of Komari being abused in a real-world intrusion. The attackers compromised VPN credentials to gain initial access before deploying the Komari agent as a persistent backdoor. Komari inherently functions as a command-and-control (C2) channel, with features enabled by default. The threat actor installed Komari as a Windows service named “Windows Update Service” using NSSM, directly from the official GitHub repository, which avoided the need for attacker-controlled staging infrastructure. The initial discovery occurred on April 16, 2026.

Attack Chain

1. Initial Access: The attacker establishes an SSLVPN session on a FortiGate device from IP address 45.153.34[.]132, authenticating as a legitimate user, [User 1].
2. Internal Reconnaissance: After establishing the VPN connection, the attacker’s workstation, identified as VM8514, begins enumerating the internal network from the tunnel IP 10.212.134[.]200.
3. Lateral Movement: Using Impacket’s smbexec.py, the attacker enables Remote Desktop Protocol (RDP) on the target workstation, [REDACTED-WRKSTN].
4. RDP Access: The attacker establishes an interactive RDP session to [REDACTED-WRKSTN].
5. Persistence - Service Creation: The attacker uses the Non-Sucking Service Manager (NSSM) to install the Komari agent as a persistent Windows service named “Windows Update Service”.
6. Agent Download: The Komari agent is downloaded from raw.githubusercontent[.]com/komari-monitor/komari-agent using a PowerShell one-liner executed directly on the system.
7. Command and Control: The Komari agent establishes a persistent WebSocket connection to its server, allowing the attacker to execute arbitrary commands (PowerShell/sh) and initiate interactive PTY reverse shell sessions.
8. Maintain Access & Execute: The attacker maintains SYSTEM-level access via the persistent Komari agent, enabling ongoing remote command execution and control over the compromised workstation.

Impact

This attack demonstrates how readily available monitoring tools can be weaponized for malicious purposes. A single compromised account led to the establishment of a SYSTEM-level backdoor on a critical workstation. This could result in data exfiltration, further lateral movement within the network, and potentially ransomware deployment. Microsoft Defender quarantined an earlier registry hive dumping attempt, preventing further data compromise. The number of affected organizations is currently unknown, but any organization using the Komari agent without proper security controls is potentially at risk.

Recommendation

• Monitor FortiGate logs for SSLVPN sessions originating from suspicious IP addresses (45.153.34[.]132) and unusual ASN’s (ASN 51396) to detect potentially compromised credentials.
• Implement the Sigma rule “Detect Komari Agent Installation via PowerShell” to identify installations of the Komari agent.
• Monitor process creation events for the execution of nssm.exe installing a service named “Windows Update Service” to detect suspicious service installations.
• Block the domain raw.githubusercontent[.]com at the DNS resolver or web proxy to prevent the downloading of malicious tools and payloads.

]]>highadvisorykomaribackdoornssmgithubratreverse shellhttps://feed.craftedsignal.io/briefs/2026-04-uat-4356-firestarter/Thu, 23 Apr 2026 15:11:53 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-uat-4356-firestarter/UAT-4356 is actively targeting Cisco Firepower devices running FXOS, exploiting CVE-2025-20333 and CVE-2025-20362 to deploy the FIRESTARTER backdoor which allows remote access and control by injecting malicious shellcode into the LINA process.Cisco Talos reported that UAT-4356 continues to actively target Cisco Firepower devices running the Firepower eXtensible Operating System (FXOS). In early 2024, Cisco Talos attributed the ArcaneDoor campaign to UAT-4356, a state-sponsored actor focused on gaining access to network perimeter devices for espionage. The actor exploits n-day vulnerabilities CVE-2025-20333 and CVE-2025-20362 to gain unauthorized access to vulnerable devices. Upon successful exploitation, UAT-4356 deploys a custom-built backdoor called “FIRESTARTER,” which shares technical capabilities with RayInitiator’s Stage 3 shellcode. FIRESTARTER enables remote access and the execution of arbitrary code within the LINA process, a core component of Cisco’s ASA and FTD appliances. This allows the attackers to maintain persistent access to compromised systems.

Attack Chain

1. UAT-4356 exploits CVE-2025-20333 and/or CVE-2025-20362 on Cisco Firepower devices running FXOS to gain initial access.
2. The attacker manipulates the CSP_MOUNT_LIST to establish persistence for the FIRESTARTER backdoor.
3. The FIRESTARTER backdoor is written to /opt/cisco/platform/logs/var/log/svc_samcore.log and the CSP_MOUNT_LIST is updated to copy itself to /usr/bin/lina_cs.
4. After a graceful reboot, FIRESTARTER is executed from /usr/bin/lina_cs.
5. FIRESTARTER restores the original CSP_MOUNT_LIST from /tmp/CSP_MOUNTLIST.tmp and removes the temporary copy and the trojanized /usr/bin/lina_cs file from disk.
6. FIRESTARTER reads the LINA process’ memory, searching for specific byte sequences to verify memory layout.
7. FIRESTARTER copies the next stage shellcode to the last 0x200 bytes of the “libstdc++.so” memory region.
8. The attacker overwrites an internal data structure in the LINA process to replace a pointer to a legitimate WebVPN XML handler function with the address of the malicious shellcode. This allows execution of arbitrary shellcode received via WebVPN requests.

Impact

Compromised Cisco Firepower devices allow UAT-4356 to gain a foothold on network perimeters for espionage. Successful exploitation and deployment of the FIRESTARTER backdoor enable attackers to execute arbitrary shellcode, potentially leading to data exfiltration, further network compromise, or disruption of services. The number of victims is currently unknown, but this campaign targets network perimeter devices, which could impact organizations across various sectors.

Recommendation

• Deploy the file integrity monitoring rule to detect the creation or modification of /usr/bin/lina_cs and /opt/cisco/platform/logs/var/log/svc_samcore.log (see “File Creation in Suspicious Directory”).
• Apply software upgrade recommendations outlined in Cisco’s Security Advisory to mitigate CVE-2025-20333 and CVE-2025-20362.
• Monitor network traffic for WebVPN requests containing unexpected XML payloads that might be used to trigger the FIRESTARTER backdoor.

]]>criticalthreatuat-4356firestarterciscobackdoornetworkespionagehttps://feed.craftedsignal.io/briefs/2026-04-chrome-extension-backdoor/Thu, 16 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-chrome-extension-backdoor/A coordinated campaign uses 108 malicious Chrome extensions to steal user data, inject ads, and establish backdoors on over 20,000 systems via a shared command-and-control infrastructure.A coordinated campaign involving 108 malicious Chrome extensions has been discovered. These extensions, distributed through five accounts (GameGen, InterAlt, SideGames, Rodeo Games, and Yana Project), are designed to steal user data, inject ads, and create backdoors. Over 20,000 users have installed these extensions. The extensions provide expected functionality to avoid suspicion, but malicious code runs in the background, communicating with a shared C&C infrastructure to perform nefarious activities. The extensions target various user types by masquerading as Telegram sidebar clients, slot machine and Keno games, YouTube and TikTok enhancers, a text translation tool, and page utility extensions. This campaign poses a significant threat to user privacy and system security.

Attack Chain

1. Users install malicious Chrome extensions from the Chrome Web Store, believing they are legitimate tools (e.g., Telegram clients, games, enhancers).
2. Upon installation, the extensions execute JavaScript code in the background.
3. Extensions designed for credential theft acquire Google OAuth2 Bearer tokens and exfiltrate user information (email, name, profile picture) to a remote server.
4. Extensions targeting Telegram steal the active Telegram Web session by overwriting local storage with attacker-supplied data and force-reloading Telegram.
5. Some extensions contain a backdoor that opens an arbitrary URL received from the C&C server in a new tab upon browser start.
6. Other malicious activities include injecting ads into YouTube and TikTok pages, injecting content scripts into all visited pages, or proxying translation requests through attacker-controlled servers.
7. The attacker gains access to user accounts (Google, Telegram) and can inject malicious content, redirect traffic, and steal sensitive information.

Impact

Over 20,000 users have been affected by these malicious extensions. The campaign targets a broad range of users by using different categories of extensions. Successful exploitation can lead to stolen credentials, account takeover, data exfiltration, ad fraud, and the ability to inject arbitrary content into visited websites. The compromised systems could be used for further malicious activities.

Recommendation

• Monitor network connections originating from Chrome extensions for connections to unusual or suspicious domains using a network connection rule (see example rule below).
• Implement strict policies for Chrome extension installations, including whitelisting approved extensions and blocking installation from untrusted sources.
• Deploy the Sigma rule to detect the execution of scripts from the malicious extensions to your SIEM and tune for your environment.

]]>highadvisorychrome-extensioncredential-theftbackdoorad-injectionexfiltrationhttps://feed.craftedsignal.io/briefs/2024-10-bpfdoor-lockfile-access/Wed, 01 Apr 2026 11:18:05 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-10-bpfdoor-lockfile-access/BPFDoor, an evasive Linux backdoor, is detected via the unusual access of process ID and lock files in the /var/run/ directory, indicating potential malicious activity.BPFDoor is an evasive Linux backdoor that utilizes extended Berkeley Packet Filter (eBPF) technology to establish stealthy communication channels and maintain persistence on compromised systems. This backdoor has been observed targeting telecom networks, acting as a sleeper cell within the infrastructure. The threat leverages eBPF for its ability to operate at a low level, making detection challenging. This threat brief focuses on detecting BPFDoor through its interaction with common PID and lock files in the /var/run directory, where it attempts to masquerade as legitimate processes or services. The access of these files by unauthorized or unexpected processes can be a strong indicator of BPFDoor activity.

Attack Chain

1. The attacker gains initial access to the Linux system, possibly through exploitation of a vulnerability or stolen credentials (not detailed in source).
2. The attacker deploys the BPFDoor backdoor onto the compromised system.
3. BPFDoor establishes persistence by injecting itself into the kernel using eBPF.
4. BPFDoor attempts to blend in with legitimate system activity by accessing or manipulating process ID (.pid) and lock (.lock) files in the /var/run directory.
5. Specifically, BPFDoor may access files like /var/run/aepmonend.pid, /var/run/auditd.lock, /var/run/cma.lock, /var/run/console-kit.pid, /var/run/consolekit.pid, /var/run/daemon.pid, /var/run/hald-addon.pid, /var/run/hald-smartd.pid, /var/run/haldrund.pid, /var/run/hp-health.pid, /var/run/hpasmlit.lock, /var/run/hpasmlited.pid, /var/run/kdevrund.pid, /var/run/lldpad.lock, /var/run/mcelog.pid, /var/run/system.pid, /var/run/uvp-srv.pid, /var/run/vmtoolagt.pid, and /var/run/xinetd.lock.
6. This access may involve reading, writing, or modifying these files to conceal its presence.
7. BPFDoor uses the eBPF-based communication channel to receive commands from a remote attacker.
8. The attacker executes arbitrary commands on the compromised system, potentially leading to data theft, system disruption, or further lateral movement.

Impact

A successful BPFDoor infection can lead to a persistent and stealthy backdoor on a Linux system. Given the nature of eBPF, detection is difficult, potentially allowing attackers long-term access to the system and sensitive data. Telecom networks are specifically mentioned, indicating potential disruption of critical communications infrastructure. The number of victims and specific damage caused varies per deployment.

Recommendation

• Deploy the Sigma rule BPFDoor Abnormal Process ID or Lock File Accessed to your SIEM to detect suspicious access to lock and PID files in /var/run based on auditd logs.
• Investigate any alerts triggered by the Sigma rule, focusing on identifying the process accessing the lock or PID file and whether it is legitimate.
• Implement network monitoring to identify unusual eBPF activity.
• Regularly review and update intrusion detection systems (IDS) signatures to include known BPFDoor indicators.

]]>highadvisorybpfdoorlinuxbackdoorebpf