Over 4K active hacker backdoors found in expiring or abandoned domains

Over 4K active hacker backdoors found in expiring or abandoned domains

Security researchers discovered and hijacked over 4,000 unique web backdoors that had been deployed by various threat actors. The backdoors, which had been abandoned or were reliant on expired infrastructure, were seized and sinkholed by WatchTowr Labs through the purchase and registration of over 40 domain names that these backdoors used for command-and-control (C2) communications. The firm managed to gain control of the compromised systems for as little as $20 per domain.

The backdoors, which are essentially web shells designed to maintain persistent remote access to target networks, varied significantly in scope and functionality. Some of the backdoors were relatively simple, capable of executing attacker-provided commands via PHP-based tools like c99shell and r57shell, while other tools such as China Chopper were more sophisticated. The latter is a web shell associated with Chinese state-backed hacker groups.

Across those 4000 unique and live backdoors, some systems belonged to government entities in Bangladesh, China, and Nigeria, as well as academic institutions across China, South Korea, and Thailand.

The researchers said that several of the web shells had been backdoored by their original maintainers, inadvertently leaking critical information about the locations and entities where they had been deployed. This allowed other threat actors to hijack the backdoors and further use them for their own purposes.


Back to the list

Latest Posts

Cyber Security Week in Review: April 25, 2025

Cyber Security Week in Review: April 25, 2025

In brief: A SAP NetWeaver zero-day bug exploited in the wild, DslogdRAT exploits a recent Ivanti flaw, and more.
25 April 2025
ToyMaker: Financially-motivated IAB that sells access to ransomware gangs

ToyMaker: Financially-motivated IAB that sells access to ransomware gangs

ToyMaker is believed to be behind the custom backdoor dubbed ‘LAGTOY.’
24 April 2025
DragonForce and Anubis ransomware ops use novel models to attract affiliates and boost profits

DragonForce and Anubis ransomware ops use novel models to attract affiliates and boost profits

DragonForce introduced a distributed affiliate branding model.
23 April 2025