Wednesday, May 21, 2025
HomeCyber Security NewsHackers Attacking Telecoms Servers With HTTPSnoop Malware

Hackers Attacking Telecoms Servers With HTTPSnoop Malware

Published on

SIEM as a Service

Follow Us on Google News

In 2022, state-sponsored actors and advanced adversaries consistently targeted telecoms globally, making it a top sector in Talos IR cases.

Telecom firms with critical infrastructure assets are prime targets due to their role in national networks and as potential gateways for adversaries.

Cybersecurity researchers at Cisco Talos recently found a new malware, “HTTPSnoop,” targeting Middle East telecom companies, using unique methods to interface with Windows HTTP kernel drivers for URL-based content execution.

- Advertisement - Google News

The implant cluster, including HTTPSnoop and PipeSnoop, with unique TTPs, is attributed to a new intrusion set named “ShroudedSnooper” as it doesn’t match known groups tracked by Talos.

Variants of HTTPSnoop

In total, the attackers built three variants of HTTPSnoop:-

  • Variant 1: DLL-based HTTPSnoop variants use DLL hijacking in benign apps, with the first variant from April 17, 2023, binding to HTTP URLs resembling Microsoft’s EWS API for shellcode execution.
  • Variant 2: The second variant, created on April 19, 2023, resembles the initial HTTPSnoop version but targets different HTTP URLs on Ports 80 and 443, possibly for a non-EWS web server that is exposed.
  • Variant 3: Later, they created a third variant with a killswitch URL and another listening URL on April 29, 2023, likely to lower detection risks by limiting the URLs.

HTTPSnoop Malware Interface

HTTPSnoop and PipeSnoop posed as components of Palo Alto Networks’ Cortex XDR app, with altered compile timestamps suggesting operation during the v7.8 window (Aug 2022 – Apr 2023).

HTTPSnoop is a basic but efficient backdoor that does the following things:-

  • Uses low-level Windows APIs to interact with HTTP devices
  • Listen for specific URL patterns
  • Executes decoded shellcode from incoming requests

There are two key components that the analyzed DLL consists of, and here below, we have mentioned them:-

  • Encoded Stage 2 shellcode.
  • Encoded Stage 2 configuration.

The activated malicious DLL XOR also decodes and runs the Stage 2 configuration and shellcode.

Single byte XOR routine (Source – Cisco Talos)

PipeSnoop, created in May 2023, is a distinct implant designed for different environments and likely used in enterprises with IPC pipe I/O capabilities.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

PupkinStealer Exploits Web Browser Passwords and App Tokens to Exfiltrate Data Through Telegram

A newly identified .NET-based information-stealing malware, dubbed PupkinStealer (also known as PumpkinStealer in some...

71 Fake Websites Impersonating German Retailer to Steal Payment Information

Recorded Future Payment Fraud Intelligence has uncovered a sprawling network of 71 fraudulent e-commerce...

New Scan Uncovers 150K Industrial Systems Worldwide Vulnerable to Cyberattacks

A groundbreaking study leveraging advanced application-layer scanning has exposed approximately 150,000 industrial control systems...

Windows 11 Introduces Enhanced Administrator Protection to Strengthen Security Against Elevated Privilege Attacks

Microsoft has unveiled Administrator Protection, a groundbreaking security feature for Windows 11 designed to...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

PupkinStealer Exploits Web Browser Passwords and App Tokens to Exfiltrate Data Through Telegram

A newly identified .NET-based information-stealing malware, dubbed PupkinStealer (also known as PumpkinStealer in some...

71 Fake Websites Impersonating German Retailer to Steal Payment Information

Recorded Future Payment Fraud Intelligence has uncovered a sprawling network of 71 fraudulent e-commerce...

New Scan Uncovers 150K Industrial Systems Worldwide Vulnerable to Cyberattacks

A groundbreaking study leveraging advanced application-layer scanning has exposed approximately 150,000 industrial control systems...