Experts from Kaspersky Lab have discovered a new backdoor, GhostContainer, which operates on open-source tools. Researchers believe that the emergence of this malware may be part of a sophisticated targeted campaign aimed at large organizations in Asia, including high-tech enterprises. The attackers are presumably focused on cyber espionage.
The malware was discovered during the response to an incident related to attacks on Exchange infrastructure in the public sector. Researchers took note of the file App_Web_Container_1.dll, which turned out to be a complex, multifunctional backdoor based on several open-source projects.
The malware is capable of dynamically expanding and acquiring new functionality by loading additional modules.
The installation of the backdoor gives attackers full control over the Exchange server, which opens up significant possibilities for further malicious activity. The malware employs various methods to evade detection and disguises itself as a server component to blend in with standard operations.
The backdoor is capable of functioning as a proxy server or tunnel, which, according to experts, exposes the entire internal network of a company to external threats, as well as creating a risk of confidential data leakage.
“Our research has shown that the attackers are technically well-versed: they understand the vulnerabilities of Exchange systems and are capable of creating and refining complex spying tools based on publicly available code. Although the first incidents were recorded in Asia, there is a possibility that the attackers could use the discovered malware in other regions. While there is not enough information to attribute GhostContainer to any known group at this time, we will continue to monitor the backdoor’s activity to better understand the cyber threat landscape,” comments Sergey Lozhkin, head of GReAT in the APAC and META regions.
2025.02.01 — Critical RCE vulnerability fixed in Cacti
A critical vulnerability has been discovered in the open-source Cacti framework: it enables an authenticated attacker to remotely execute arbitrary code. Vulnerability's ID is CVE-2025-22604; its…
Full article →
2025.04.23 — Improper authentication control vulnerability affects ASUS routers with AiCloud
ASUSTeK Computer Inc. fixed an improper authentication control vulnerability in routers with AiCloud. The bug allows remote attackers to perform unauthorized actions on vulnerable devices. The issue…
Full article →
2025.04.15 — Hackers exploit authentication bypass bug in OttoKit WordPress plugin
Hackers exploit an authentication bypass vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin used by more than 100,000 websites. First attacks were recorded just…
Full article →
2025.01.22 — Fake Homebrew Infects macOS and Linux Machines with infostealer
Attackers use Google ads to disguise themselves as the Homebrew website and distribute malware targeting Mac and Linux systems and stealing logon credentials, browser data, and cryptocurrency wallets.…
Full article →
2025.02.07 — 768 vulnerabilities were exploited by hackers in 2024
According to VulnCheck, 768 CVEs were registered as exploited in real-life attacks in 2024. This is 20% greater compared to 2023 when hackers exploited 639 vulnerabilities. Interestingly,…
Full article →
2025.01.28 — J-magic backdoor attacked Juniper Networks devices using 'magic packets'
A massive backdoor attack targeting Juniper routers often used as VPN gateways has been uncovered. The devices were attacked by the J-magic malware that…
Full article →
2025.02.03 — PyPI introduces a project archival system to combat malicious updates
The Python Package Index (PyPI) introduces a new project archival system: a project can now be archived to notify users that it's not expected to be updated…
Full article →
2025.01.23 — Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts
Hackers used the news of Ross Ulbricht pardoning to lure users to a rogue Telegram channel where they are tricked into running malicious PowerShell code. This…
Full article →
2025.03.16 — Researchers force DeepSeek to write malware
According to Tenable, the AI chatbot DeepSeek R1 from China can be used to write malware (e.g. keyloggers and ransomware). DeepSeek was released in January 2025 and caused a stir…
Full article →
2025.04.29 — FBI Offers 10 million USD for information on Salt Typhoon members
The FBI offers up to 10 million USD for information about members of the Chinese hacker group Salt Typhoon and last year's attack that had…
Full article →