Over 4K active hacker backdoors found in expiring or abandoned domains

Over 4K active hacker backdoors found in expiring or abandoned domains

Security researchers discovered and hijacked over 4,000 unique web backdoors that had been deployed by various threat actors. The backdoors, which had been abandoned or were reliant on expired infrastructure, were seized and sinkholed by WatchTowr Labs through the purchase and registration of over 40 domain names that these backdoors used for command-and-control (C2) communications. The firm managed to gain control of the compromised systems for as little as $20 per domain.

The backdoors, which are essentially web shells designed to maintain persistent remote access to target networks, varied significantly in scope and functionality. Some of the backdoors were relatively simple, capable of executing attacker-provided commands via PHP-based tools like c99shell and r57shell, while other tools such as China Chopper were more sophisticated. The latter is a web shell associated with Chinese state-backed hacker groups.

Across those 4000 unique and live backdoors, some systems belonged to government entities in Bangladesh, China, and Nigeria, as well as academic institutions across China, South Korea, and Thailand.

The researchers said that several of the web shells had been backdoored by their original maintainers, inadvertently leaking critical information about the locations and entities where they had been deployed. This allowed other threat actors to hijack the backdoors and further use them for their own purposes.


Back to the list

Latest Posts

UAC-0219 targets Ukraine’s government agencies with WRECKSTEEL stealer

UAC-0219 targets Ukraine’s government agencies with WRECKSTEEL stealer

This activity has been ongoing since at least the fall of 2024.
3 April 2025
Police crackdown shuts down major Kidflix platform hosting child sexual abuse material

Police crackdown shuts down major Kidflix platform hosting child sexual abuse material

As a result of the operation, 79 arrests were made, 1,393 suspects identified, and over 3,000 electronic devices seized.
2 April 2025
Ongoing campaign targets exposed PostgreSQL instances to deploy crypto miners

Ongoing campaign targets exposed PostgreSQL instances to deploy crypto miners

The campaign could involve over 1,500 compromised systems.
2 April 2025