Monday, May 5, 2025
HomeBackdoorPopular Server Management Software Infected with Encrypted Payload That Could be...

Popular Server Management Software Infected with Encrypted Payload That Could be Remotely Activate Backdoor

Published on

SIEM as a Service

Follow Us on Google News

Very Popular Server Management Software XMANAGER5 owned by NetSarang flowing with Backdoor that was injected as Encrypted Payload  By Cyber Criminals.

Encrypted payload Discovered with the name of Backdoor.Win32.ShadowPad.a  by Kaspersky Researchers and mainly initiated its activity for the successful supply-chain attack.

This Server used by used in hundreds of critical networks including telecommunication, transportation, and Banks for Secure file transfer Client, and maintain the server management activities.

- Advertisement - Google News

This  Backdoor was found and Embedded With code libraries called nssock2.dll  that are used by this Software.

Backdoor

nssock2.dll Embedded  library

According to Kaspersky, Attacker origin might be China which is Predicted by same attack were used in another malware like PlugX and Winnti.

Also Read :Beware:Emails Delivering Backdoor and Injecting Malicious Scripts into Enterprise Networks

How Does Backdoor Work 

To Evade the Detection, This Backdoor has been used with several layers of Encryption Process with the payload.

Backdoor

layers of Encryption

ShadowPad Backdoor will be Activated only when it received a special packet from Command & Control Server.

Before Received a Special Command it has an ability to Transfer only basic information such as computer, domain and user names and every 8 hours it uses to send this information.

Activation of the payload will be triggered by Special Domain called “nylalobghyhirgh.com” via specially crafted DNS TXT record.

The Backdoor will be Triggered by the first layer of C&C servers, later Backdoor will be Activated by the second Layer.

Backdoor

Layer of Processing by C2 server

The module performs a quick exchange with the controlling DNS server and provides basic target information (domain and user name, system date, network configuration) to the server. The C&C DNS server in return sends back the decryption key for the next stage of the code, effectively activating the backdoor,Kaspersky Said.

Communication Between the Module and C&C server will be fully encrypted  by proprietary algorithm and Each packet also contains an encrypted “magic” DWORD value “52 4F 4F 44”

Embedded Code Download and execute arbitrary code which is Provided by C&C Server and also it acts as a Modular Backdoor Platform.

This Backdoor also maintain a virtual file system (VFS) inside the registry that is encrypted and stored in a location unique to each victim.

Remote Access capabilities algorithm and Domains for C&C Severs keep changing each and every Month by the Group or individual behind of this Malware.

Kaspersky Conforms that, This Backdoor has been Activated  successfully in a company in Hong Kong.

Follow Domains are indicated the DNS Request for the Backdoor.

  • ribotqtonut[.]com
  • nylalobghyhirgh[.]com
  • jkvmdmjyfcvkf[.]com
  • bafyvoruzgjitwr[.]com
  • xmponmzmxkxkh[.]com
  • tczafklirkl[.]com
  • notped[.]com
  • dnsgogle[.]com
  • operatingbox[.]com
  • paniesx[.]com
  • techniciantext[.]com

All malicious files were removed from NetSarang website After Kaspersky reported to NetSarang.

Image Credits : Kaspersky

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Gunra Ransomware’s Double‑Extortion Playbook and Global Impact

Gunra Ransomware, has surfaced as a formidable threat in April 2025, targeting Windows systems...

Hackers Exploit 21 Apps to Take Full Control of E-Commerce Servers

Cybersecurity firm Sansec has uncovered a sophisticated supply chain attack that has compromised 21...

Hackers Target HR Departments With Fake Resumes to Spread More_eggs Malware

The financially motivated threat group Venom Spider, also tracked as TA4557, has shifted its...

RomCom RAT Targets UK Organizations Through Compromised Customer Feedback Portals

The Russian-based threat group RomCom, also known as Storm-0978, Tropical Scorpius, and Void Rabisu,...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Lazarus Hackers Tamper with Software Packages to Gain Backdoor Access to the Victims Device

A recent investigation conducted by STRIKE, a division of SecurityScorecard, has unveiled the intricate...

Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

A sophisticated cyber campaign dubbed "J-magic" has been discovered targeting enterprise-grade Juniper routers with...

QSC: Multi-Plugin Malware Framework Installs Backdoor on Windows

The QSC Loader service DLL named "loader.dll" leverages two distinct methods to obtain the...