Experts from Kaspersky Lab have discovered a new backdoor, GhostContainer, which operates on open-source tools. Researchers believe that the emergence of this malware may be part of a sophisticated targeted campaign aimed at large organizations in Asia, including high-tech enterprises. The attackers are presumably focused on cyber espionage.
The malware was discovered during the response to an incident related to attacks on Exchange infrastructure in the public sector. Researchers took note of the file App_Web_Container_1.dll, which turned out to be a complex, multifunctional backdoor based on several open-source projects.
The malware is capable of dynamically expanding and acquiring new functionality by loading additional modules.
The installation of the backdoor gives attackers full control over the Exchange server, which opens up significant possibilities for further malicious activity. The malware employs various methods to evade detection and disguises itself as a server component to blend in with standard operations.
The backdoor is capable of functioning as a proxy server or tunnel, which, according to experts, exposes the entire internal network of a company to external threats, as well as creating a risk of confidential data leakage.
“Our research has shown that the attackers are technically well-versed: they understand the vulnerabilities of Exchange systems and are capable of creating and refining complex spying tools based on publicly available code. Although the first incidents were recorded in Asia, there is a possibility that the attackers could use the discovered malware in other regions. While there is not enough information to attribute GhostContainer to any known group at this time, we will continue to monitor the backdoor’s activity to better understand the cyber threat landscape,” comments Sergey Lozhkin, head of GReAT in the APAC and META regions.
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider
Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…
Full article →
2025.03.07 — YouTube warns of scam video featuring its CEO
According to YouTube, scammers use an AI-generated video of the company's CEO in phishing attacks to steal user credentials. The scammers attack content creators by sending them…
Full article →
2025.02.01 — Critical RCE vulnerability fixed in Cacti
A critical vulnerability has been discovered in the open-source Cacti framework: it enables an authenticated attacker to remotely execute arbitrary code. Vulnerability's ID is CVE-2025-22604; its…
Full article →
2025.02.03 — PyPI introduces a project archival system to combat malicious updates
The Python Package Index (PyPI) introduces a new project archival system: a project can now be archived to notify users that it's not expected to be updated…
Full article →
2025.01.23 — Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts
Hackers used the news of Ross Ulbricht pardoning to lure users to a rogue Telegram channel where they are tricked into running malicious PowerShell code. This…
Full article →
2025.02.08 — Hackers exploit RCE vulnerability in Microsoft Outlook
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Federal Civilian Executive Branch (FCEB) Agencies that they have to secure their systems from ongoing…
Full article →
2025.02.12 — 2.8 million IP addresses used to brute-force network devices
The Shadowserver Foundation warns of a massive web login brute-forcing attacks targeting nearly 2.8 million IP addresses per day. Unknown attackers are seeking…
Full article →
2025.02.21 — Microsoft fixes vulnerability in Power Pages exploited by cybercriminals
Microsoft patched a severe privilege escalation vulnerability in Power Pages used by hackers as a 0-day. The vulnerability tracked as CVE-2025-24989 (CVSS score 8.2) pertains…
Full article →
2025.01.27 — YouTube plays hour-long ads to users with ad blockers
Users complain that YouTube plays very long unskippable ads. Sometimes such ads are longer than the video the person is watching. The issue was raised…
Full article →
2025.03.16 — Researchers force DeepSeek to write malware
According to Tenable, the AI chatbot DeepSeek R1 from China can be used to write malware (e.g. keyloggers and ransomware). DeepSeek was released in January 2025 and caused a stir…
Full article →