Thursday, May 8, 2025
Homecyber securityChinese Hackers Deploy New 'Squidoor' Malware to Target Global Organizations

Chinese Hackers Deploy New ‘Squidoor’ Malware to Target Global Organizations

Published on

SIEM as a Service

Follow Us on Google News

A recent cybersecurity threat has emerged in the form of a sophisticated backdoor malware named Squidoor, attributed to a suspected Chinese threat actor.

This malware has been targeting various sectors globally, including governments, defense, telecommunications, education, and aviation, particularly in Southeast Asia and South America.

The threat actor, identified as part of the activity cluster CL-STA-0049, has been active since at least March 2023.

- Advertisement - Google News

Initial Access and Lateral Movement

To gain access to networks, the attackers primarily exploit vulnerabilities in Internet Information Services (IIS) servers and deploy multiple web shells.

Squidoor Malware
Example of a Pastebin account controlled by the attackers.

These web shells, such as OutlookDC.aspx and Error.aspx, serve as persistent backdoors, allowing the threat actor to maintain access and execute commands on compromised systems.

The attackers use tools like curl and Impacket to spread these web shells across different servers, often concealing them as certificates to evade detection.

Squidoor Malware Capabilities

Squidoor is multi-platform malware available for both Windows and Linux systems, designed for stealth and flexibility.

Squidoor Malware
The execution flow of loading Squidoor

It supports multiple communication protocols with its command and control (C2) server, including HTTP, reverse TCP and UDP, ICMP tunneling, DNS tunneling, and even Microsoft Outlook API.

According to PaloAlto Networks Report, this variety allows the attackers to adapt to different network environments and remain undetected.

Squidoor can execute arbitrary commands, inject payloads into processes, and exfiltrate sensitive information.

It achieves persistence by using scheduled tasks, such as the “Microsoft\Windows\AppID\EPolicyManager” task.

The malware uses a unique method to communicate via the Outlook API.

It logs in using a hard-coded refresh token and queries the drafts folder for specific emails containing commands.

These commands are encoded and decoded using a combination of Base64, AES, and a custom XOR algorithm, allowing the attackers to send and receive data disguised as legitimate Outlook traffic.

To counter these threats, cybersecurity professionals are advised to utilize advanced security tools such as Cortex XDR and Cloud-Delivered Security Services.

These solutions can help detect and mitigate the sophisticated tactics employed by Squidoor.

Organizations should remain vigilant and monitor for suspicious activity, especially in high-risk sectors.

The use of Squidoor highlights the evolving nature of cyber threats and the need for robust defense strategies to protect against such advanced malware.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free. 

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

LockBit Ransomware Group Breached: Internal Chats and Data Leaked Online

The notorious LockBit ransomware group, once considered one of the world’s most prolific cyber...

Cisco IOS XE Wireless Controllers Vulnerability Lets Attackers Seize Full Control

A critical security flaw has been discovered in Cisco IOS XE Wireless LAN Controllers...

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

LockBit Ransomware Group Breached: Internal Chats and Data Leaked Online

The notorious LockBit ransomware group, once considered one of the world’s most prolific cyber...

Cisco IOS XE Wireless Controllers Vulnerability Lets Attackers Seize Full Control

A critical security flaw has been discovered in Cisco IOS XE Wireless LAN Controllers...

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...