Monday, May 19, 2025
HomeCyber Security NewsHackers Attacking Telecoms Servers With HTTPSnoop Malware

Hackers Attacking Telecoms Servers With HTTPSnoop Malware

Published on

SIEM as a Service

Follow Us on Google News

In 2022, state-sponsored actors and advanced adversaries consistently targeted telecoms globally, making it a top sector in Talos IR cases.

Telecom firms with critical infrastructure assets are prime targets due to their role in national networks and as potential gateways for adversaries.

Cybersecurity researchers at Cisco Talos recently found a new malware, “HTTPSnoop,” targeting Middle East telecom companies, using unique methods to interface with Windows HTTP kernel drivers for URL-based content execution.

- Advertisement - Google News

The implant cluster, including HTTPSnoop and PipeSnoop, with unique TTPs, is attributed to a new intrusion set named “ShroudedSnooper” as it doesn’t match known groups tracked by Talos.

Variants of HTTPSnoop

In total, the attackers built three variants of HTTPSnoop:-

  • Variant 1: DLL-based HTTPSnoop variants use DLL hijacking in benign apps, with the first variant from April 17, 2023, binding to HTTP URLs resembling Microsoft’s EWS API for shellcode execution.
  • Variant 2: The second variant, created on April 19, 2023, resembles the initial HTTPSnoop version but targets different HTTP URLs on Ports 80 and 443, possibly for a non-EWS web server that is exposed.
  • Variant 3: Later, they created a third variant with a killswitch URL and another listening URL on April 29, 2023, likely to lower detection risks by limiting the URLs.

HTTPSnoop Malware Interface

HTTPSnoop and PipeSnoop posed as components of Palo Alto Networks’ Cortex XDR app, with altered compile timestamps suggesting operation during the v7.8 window (Aug 2022 – Apr 2023).

HTTPSnoop is a basic but efficient backdoor that does the following things:-

  • Uses low-level Windows APIs to interact with HTTP devices
  • Listen for specific URL patterns
  • Executes decoded shellcode from incoming requests

There are two key components that the analyzed DLL consists of, and here below, we have mentioned them:-

  • Encoded Stage 2 shellcode.
  • Encoded Stage 2 configuration.

The activated malicious DLL XOR also decodes and runs the Stage 2 configuration and shellcode.

Single byte XOR routine (Source – Cisco Talos)

PipeSnoop, created in May 2023, is a distinct implant designed for different environments and likely used in enterprises with IPC pipe I/O capabilities.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Hackers Exploit RVTools to Deploy Bumblebee Malware on Windows Systems

A reliable VMware environment reporting tool, RVTools, was momentarily infiltrated earlier this week on...

Confluence Servers Under Attack: Hackers Leverage Vulnerability for RDP Access and Remote Code Execution

Threat actors exploited a known vulnerability, CVE-2023-22527, a template injection flaw in Atlassian Confluence...

New ModiLoader Malware Campaign Targets Windows PCs, Harvesting User Credentials

AhnLab Security Intelligence Center (ASEC) has recently uncovered a malicious campaign distributing ModiLoader (also...

Health Care Data Breach Costs BreachForums Admin $700,000 Fine

Conor Brian Fitzpatrick, the 22-year-old former administrator of cybercrime forum Breachforums, will forfeit approximately...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Hackers Exploit RVTools to Deploy Bumblebee Malware on Windows Systems

A reliable VMware environment reporting tool, RVTools, was momentarily infiltrated earlier this week on...

Confluence Servers Under Attack: Hackers Leverage Vulnerability for RDP Access and Remote Code Execution

Threat actors exploited a known vulnerability, CVE-2023-22527, a template injection flaw in Atlassian Confluence...

New ModiLoader Malware Campaign Targets Windows PCs, Harvesting User Credentials

AhnLab Security Intelligence Center (ASEC) has recently uncovered a malicious campaign distributing ModiLoader (also...