Saturday, May 24, 2025
HomeCyber Security NewsAPT Hackers Use FalseFont Backdoor to Remotely Hack Computers

APT Hackers Use FalseFont Backdoor to Remotely Hack Computers

Published on

SIEM as a Service

Follow Us on Google News

Peach Sandstorm APT targets defense contractors globally via the FalseFont Backdoor, which can access remote systems and exfiltrate data.

In this campaign, the malware offers the user a realistic user interface and behavior while posing as a legitimate application from US Defense and Intelligence Contractor Maxar Technologies.

“Most of the features target user files and data structure considering the lure of this malware, the actors are likely to plan to extract US Defense / Intelligence related documents,” the Nextron Threat Research Team shared with Cyber Security News.

- Advertisement - Google News

The Peach Sandstorm advanced persistent threat, also known as APT33, Elfin, Holmium, or Refined Kitten, is an Iranian nation-state cyber attack group that Microsoft has previously seen attempting to spread the FalseFont backdoor to many organizations in the global infrastructure that supports the development of military systems, subsystems, and weapons.

Document
Run Free ThreatScan on Your Mailbox

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

Gaining Remote Access and Exfiltrate Data

While analyzing Maxar Technologies’ website, the victim is asked if they want to log in as a guest or with their account. Entering as a guest will require providing some personal information for registration.

Many questionable actions were noticed after trying to log in using randomly selected credentials. The files that are dropped into AppData and the rapid changes made to the autostart registry keys are important events to consider in this case.

Researchers discovered that all logins are routed to a host different from the C2 that manages the remote access features. The guest login will display a fake registration and urge the user to wait for a response from the Maxar team, or most likely the threat actor in this instance. 

The agent verifies that the password meets the requirements. If the credential server acknowledges receipt of the credentials and returns a success message. The user will see a new form from the client requesting personal information such as complete name, address, email, and previous employment history with Maxar Technologies.

The real backdoor is launched when the application is first starting up, installing persistence and creating a connection with the real C2 server to enable remote access. The malware communicates via the Command and Control (C2) interface using the SignalR protocol.

Providing information about the malware's capabilities
Providing information about the malware’s capabilities

Final Words

Here, another data exfiltration method is the ability to record screen content, which gives actors access to potentially sensitive information from non-disk data such as chat or email messages.

FalseFont also has a browser credential stealer in addition to the typical file exfiltration, which could facilitate the compromise of valuable online accounts.

Finally, despite the malware’s complexity, the security method ignores strings and other potentially dangerous indicators, permitting the binaries to be detected rather easily.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...