Wednesday, May 7, 2025
HomeBackdoorDarkPulsar - A Shadow Brokers Group's New Hacking Tool Leak To Open...

DarkPulsar – A Shadow Brokers Group’s New Hacking Tool Leak To Open Backdoor & Provide Remote Control

Published on

SIEM as a Service

Follow Us on Google News

Shadow Brokers Hacking Group’s new administrative module Tool called DarkPulsar Leaks with persistance backdoor to provide remote control to the attackers.

There are two sophisticated Frameworks called DanderSpritz and FuzzBunch published in 2017 by the same Shadow Brokers.

Frameworks framework modules contain various persistance and advanced functionalities with a variety of plugins that designed to analyze victims, exploit vulnerabilities, schedule tasks, and the other module helps to monitor already controlled machines.

- Advertisement - Google News

This cyber-espionage campaign leak called “Lost in Translation” contain new implant DarkPulsar discovered.

It acts as an administrative module during the post-exploitation stage and enables the remote control by controlling a passive backdoor named ‘sipauth32.tsp’.

Attackers mainly targeting  Windows 2003/2008 Server and victims are mainly targeting nuclear energy, telecommunications, IT, aerospace, and R&D that located Russia, Iran, and Egypt.

Researchers identified that there are 50 victims have been initially identified but they believe much higher when the Fuzzbunch and DanderSpritz frameworks were actively used also attacker delete their malware from victim computers once they stopping their cyber-espionage campaign.

DarkPulsar Infection Process

Initially, 2 nameless exported functions are used to install the backdoor on targeted victims machine and the function name related to 2 names.

  •  TSPI (Telephony Service Provider Interface) –  ensure the backdoor is in the autorun list
  •  SSPI (Security Support Provider Interface) –  Implement the main malicious payload.

DarkPulsar is responsible for export the functions and it has the same name as the interface functions.

According to Kaspersky research, The implant is installed in the system by the nameless exported function. The backdoor is launched by calling Secur32.AddSecurityPackage with administrator privileges with the path to its own library in the parameter, causing lsass.exe to load DarkPulsar as SSP/AP and to call its exported function SpLsaModeInitialize used by DarkPulsar to initialize the backdoor.

Later DarkPulsar control the authentication process based on the following protocols

  • Msv1_0.dll – for the NTLM protocol,
  • Kerberos.dll – for the Kerberos protocol,
  • Schannel.dll – for the TLS/SSL protocols,
  • Wdigest.dll – for the Digest protocol, and
  • Lsasrv.dll –for the Negotiate protocol.

Once it successfully obtains the above process, it gets the ability to embed malware traffic into system protocols and it will be reflected the System process

Network traffic during successful connection

“Another advantage of the controlling authentication is the ability to bypass entering a valid username and password for obtaining access to objects that require authentication such as processes list, remote registry, file system through SMB. “

Researchers not seen any techniques for stealing money in this implant, but it is worth keeping in mind that this implant can run any executable code, so its functionality can be increased significantly. Kaspersky said.

Read More:

APT Group Uses Datper Malware To Launch Cyber Attack on Asia Countries by Executing Shell Commands

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

CISA Warns of Cyber Threats to Oil and Gas SCADA and ICS Networks

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a new alert warning critical...

Russian Company Gains Full Control Over Critical Open Source Easyjson Library

A startling discovery by Hunted Labs has brought to light a potential security risk...

Researchers Simulate DPRK’s Largest Cryptocurrency Heist Through Compromised macOS Developer and AWS Pivoting

Security researchers at Elastic have recreated the intricate details of the February 21, 2025,...

Lampion Banking Malware Uses ClickFix Lures to Steal Banking Credentials

Unit 42 researchers at Palo Alto Networks, a highly targeted malicious campaign orchestrated by...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

CISA Warns of Cyber Threats to Oil and Gas SCADA and ICS Networks

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a new alert warning critical...

Russian Company Gains Full Control Over Critical Open Source Easyjson Library

A startling discovery by Hunted Labs has brought to light a potential security risk...

Researchers Simulate DPRK’s Largest Cryptocurrency Heist Through Compromised macOS Developer and AWS Pivoting

Security researchers at Elastic have recreated the intricate details of the February 21, 2025,...