Kaspersky Uncovers GhostContainer Backdoor That Targets Microsoft Exchange Servers
The file detected by Kaspersky as App_Web_Container_1.dll turned out to be a sophisticated, multi-functional backdoor that leverages several open-source projects and can be dynamically extended with arbitrary functionality through additional module downloads.
Once loaded, it provides attackers with full control over the Exchange server, enabling a wide range of malicious activities. To avoid detection by security solutions, it uses several evasion techniques and presents itself as a legitimate server component to blend in with normal operations. In addition, it can act as a proxy or tunnel, potentially exposing the internal network to external threats or facilitating the exfiltration of sensitive data from internal systems. Therefore, сyber espionage is suspected to be the aim of the campaign.
'Our in-depth analysis revealed that the attackers are highly skilled at exploiting Exchange systems and leveraging various open-source projects related to infiltrating IIS and Exchange environments, as well as creating and enhancing sophisticated espionage tools based on publicly available code. We will continue monitoring their activity, along with the scope and scale of these attacks, to gain a better understanding of the threat landscape,' comments Sergey Lozhkin, Head of GReAT, APAC & META.
At this time, it is not possible to attribute GhostContainer to any known threat actor group, as the attackers have not exposed any infrastructure. The malware incorporates code from several publicly accessible open-source projects, which could be leveraged by hackers or APT groups worldwide. Notably, by the end of 2024, a total of 14,000 malicious packages were identified in open-source projects — a 48% increase compared to the end of 2023 — highlighting the growing threat in this area.
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Zawya
an hour ago
- Zawya
Kaspersky reveals SharePoint ToolShell vulnerabilities stem from incomplete 2020 fix
Kaspersky's Global Research and Analysis Team (GReAT) discovered that the recently exploited ToolShell vulnerabilities in Microsoft SharePoint originate from an incomplete fix for CVE-2020-1147, first reported in 2020. The SharePoint vulnerabilities have emerged as a major cybersecurity threat this year amid active exploitation. Kaspersky Security Network showed exploitation attempts worldwide, including in Egypt, Jordan, Russia, Vietnam and Zambia. The attacks target organizations across government, finance, manufacturing, forestry and agriculture sectors. Kaspersky solutions proactively detected and blocked ToolShell attacks before the vulnerabilities were publicly disclosed. Kaspersky GReAT researchers analyzed the published ToolShell exploit and found it alarmingly similar to the 2020 CVE-2020-1147 exploit. This suggests that the CVE-2025-53770 patch is, in fact, an effective fix for the vulnerability that CVE-2020-1147 attempted to address five years ago. The connection to CVE-2020-1147 became evident following the discovery of CVE-2025-49704 and CVE-2025-49706, patched on July 8. However, these fixes could be bypassed by adding a single forward slash to the exploit payload. Once Microsoft learned of active exploitation of these vulnerabilities, they responded with comprehensive patches that addressed potential bypass methods, designating the vulnerabilities as CVE-2025-53770 and CVE-2025-53771. The surge in attacks against SharePoint servers worldwide occurred during the window between initial exploitation and full patch deployment. Despite patches now being available for the ToolShell vulnerabilities, Kaspersky expects attackers will continue exploiting this chain for years to come. "Many high-profile vulnerabilities remain actively exploited years after discovery — ProxyLogon, PrintNightmare and EternalBlue still compromise unpatched systems today. We expect ToolShell to follow the same pattern: its ease of exploitation means the public exploit will soon appear in popular penetration testing tools, ensuring prolonged use by attackers," said Boris Larin, principal security researcher at Kaspersky GReAT. To stay safe, Kaspersky recommends: Organizations using Microsoft SharePoint must apply the latest security patches immediately. This applies to all high-risk vulnerabilities, as even brief exposure can lead to compromise. Deploy cybersecurity solutions that protect against zero-day exploits when patches aren't yet available. Kaspersky Next, with its Behavior Detection component, proactively blocks exploitation of such vulnerabilities. Read the full report on About Kaspersky Kaspersky is a global cybersecurity and digital privacy company founded in 1997. With over a billion devices protected to date from emerging cyberthreats and targeted attacks, Kaspersky's deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect individuals, businesses, critical infrastructure, and governments around the globe. The company's comprehensive security portfolio includes leading digital life protection for personal devices, specialized security products and services for companies, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. We help millions of individuals and over 200,000 corporate clients protect what matters most to them. Learn more at
Zawya
6 days ago
- Zawya
Corporate and academic teams welcome to register in a new Kaspersky contest
Kaspersky announces the registration opening for its brand-new Kaspersky{CTF} (Capture the Flag) competition, inviting academic and corporate teams from around the globe to compete in a battle of skill, strategy and innovation. The competition will run in five regional streams, with the winning teams of each stream getting a unique opportunity to join the finals as part of Kaspersky's Security Analyst Summit in Thailand on October 25-28 and compete for an $18,000 prize pool. In an era where cyberthreats continue to evolve, Kaspersky remains committed to fostering cybersecurity talent and upskilling cybersecurity professionals worldwide to help them counter the constantly developing threat landscape. In May, Kaspersky hosted SAS CTF (Security Analyst Summit Capture the Flag) qualifiers for the community of cybersecurity researchers, defining eight teams that will meet at the finals. The new CTF competition — Kaspersky{CTF} — is designed to reach out to an even broader audience of researchers and bring together teams from academic and corporate fields, offering a platform for both rising talents and established experts to test their skills on a grand scale. Registration for the competition is open for the participating teams, here. To register their team, potential participants should choose one of the regional streams: North America, South America and the Caribbean Europe The Middle East, Turkiye and Africa Russia and the CIS Asia and Oceania To complete registration, all participants will have to verify their affiliation with a recognized institution or organization, using emails with corporate or academic domains. On August 30-31, the teams, that passed the registration, will step up to the 24-hour online CTF tournament that will define regional winners. During the challenge, they will face cutting-edge cybersecurity tasks, ranging from cryptography and reverse engineering to web security, and undoubtedly AI. The META stream of the competition is organized with the support of the UAE Cyber Security Council. The Council plays a vital role in securing the nation's digital transformation and supporting initiatives that enhance cyber resilience within the local market. H.E Dr. Mohamed Al Kuwaiti, Head of the UAE Cyber Security Council, stated: "The UAE Cyber Security Council is committed to fostering a resilient and forward-looking cyber environment". He added: "We recognize the critical importance of nurturing cybersecurity talent and commend initiatives like the Kaspersky CTF for empowering cybersecurity professionals and strengthening community cooperation". The winners of five regional Kaspersky{CTF} streams will have an opportunity to receive an exclusive invitation and travel coverage to the SAS CTF 2025 on-site finals in Thailand to compete for the main prize together with eight SAS CTF finalists. "Organizations supporting or participating in CTFs not only strengthen internal cyber capabilities but also signal a proactive commitment to talent development and industry leadership. For young researchers, Kaspersky{CTF} is a unique opportunity to meet the real-world challenges and realize that work in cybersecurity is worth it," commented Igor Kuznetsov, Director of Kaspersky's Global Research & Analysis Team. In preparation for the main event, Kaspersky will organize a series of educational sessions designed to enhance participants' competitive readiness. These webinars will cover teaser tasks and strategies for effective CTF performance at SAS CTF finals. About Kaspersky Kaspersky is a global cybersecurity and digital privacy company founded in 1997. With over a billion devices protected to date from emerging cyberthreats and targeted attacks, Kaspersky's deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect individuals, businesses, critical infrastructure, and governments around the globe. The company's comprehensive security portfolio includes leading digital life protection for personal devices, specialized security products and services for companies, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. We help millions of individuals and over 200,000 corporate clients protect what matters most to them.
Arabian Post
6 days ago
- Arabian Post
APT41 Espionage Strikes Southern African Government IT
A sophisticated cyber‑espionage campaign has targeted a government‑affiliated IT department in Southern Africa, with indicators pointing to the China‑linked APT41 group. Kaspersky's Managed Detection and Response team detected the intrusion via unusual activity on multiple workstations, prompting an in‑depth investigation and attribution to APT41 with high confidence. The attackers infiltrated the network by exploiting a publicly exposed web server, carrying out registry dumping to harvest credentials for a local administrator account and a backup solution account with domain‑wide privileges. These credentials enabled lateral movement and elevation of access across the organisation's network. Once embedded, the threat actors deployed a suite of both custom and public reconnaissance tools. A modified Pillager stealer was converted into a DLL to exfiltrate browser, database and admin tool credentials, screenshots, source code, active chats, email correspondence, and more. Additionally, the Checkout stealer captured browser history, downloaded files, stored passwords and credit card information. The attackers also utilised RawCopy and a Mimikatz DLL to extract registry secrets, while Cobalt Strike served as their primary command‑and‑control mechanism. ADVERTISEMENT Unusually, the attackers leveraged the internal SharePoint server as a covert C2 channel, embedding a custom web‑shell to send and receive commands. This tactic allowed them to mask illicit operations within legitimate internal communications, minimising suspicion. Further probing revealed use of Impacket modules WmiExec and Atexec, which fetched reconnaissance outputs and exfiltrated SAM and SYSTEM registry hives from compromised hosts. A later phase of the operation involved the deployment of a malicious HTA file via a domain impersonating GitHub, used to establish a reverse shell—locking down persistent access. This marks one of APT41's most comprehensive operations in Africa, a region previously experiencing minimal activity from this actor. Analysts highlight the full deployment of the group's TTPs—spanning stealthy reconnaissance, lateral movement, data harvesting, and covert command channels. Denis Kulik, Lead SOC Analyst at Kaspersky MDR, emphasised the challenge such campaigns present: 'Defending against such sophisticated attacks is impossible without comprehensive expertise and continuous monitoring of the entire infrastructure'. Culprits' integration of both bespoke stealer implants and legitimate tools like Mimikatz and Cobalt Strike underlines their adaptive and stealthy approach. The incident underscores growing cyber‑espionage interest in African government IT systems. APT41, active across 42 countries, now appears to be intensifying surveillance operations on the continent. Organisations are urged to ensure full security agent deployment across endpoints, enforce least privilege principles, and monitor internal services rigorously. Kaspersky also recommends adopting advanced solutions such as EDR/XDR and managed detection and response services, along with threat intelligence offerings to anticipate and counter complex intrusions.
