Backdooring Your Backdoors - Another $20 Domain, More Governments
2025-01-08 • watch Towr •
https://labs.watchtowr.com/more-governments-backdoors-in-your-backdoors/
WatchTowr describes a research project that registered expired domains embedded in old web shells and used them to observe compromised hosts reporting back to abandoned backdoor infrastructure. The researchers say more than 4,000 live backdoors checked in, including systems tied to governments and universities in several countries. The post frames abandoned callback domains in attacker tooling as an infrastructure-takeover weakness that can let a third party inherit access originally obtained by other intruders. It does not attribute the exposed web shells or compromised hosts to a specific DPRK actor.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| URL | http://www.odayexp.com/sx/key.a… | 2025-01-08 | 2025-01-08 |
| URL | http://img2.w2img.com:80/midia_… | 2025-01-08 | 2025-01-08 |
| URL | http://rst.void.ru/r57shell_ver… | 2025-01-08 | 2025-01-08 |
| URL | http://img2.w2img.com/midia_img… | 2025-01-08 | 2025-01-08 |
| URL | http://www.nettekiadres.com:443… | 2025-01-08 | 2025-01-08 |
| DOMAIN | shellci.biz | 2025-01-08 | 2025-01-08 |
| DOMAIN | ccteam.ru | 2025-01-08 | 2025-01-08 |
| DOMAIN | hackru.info | 2025-01-08 | 2025-01-08 |
| DOMAIN | void.ru | 2025-01-08 | 2025-01-08 |
| DOMAIN | ll4best.com | 2025-01-08 | 2025-01-08 |
| DOMAIN | drakdandy.net | 2025-01-08 | 2025-01-08 |
| DOMAIN | 6634596.com | 2025-01-08 | 2025-01-08 |
| DOMAIN | love-1-love.com | 2025-01-08 | 2025-01-08 |
| DOMAIN | jbl86.com | 2025-01-08 | 2025-01-08 |
| DOMAIN | h0ld-up.info | 2025-01-08 | 2025-01-08 |
| DOMAIN | locus7s.com | 2025-01-08 | 2025-01-08 |
| DOMAIN | localshell.net | 2025-01-08 | 2025-01-08 |
| DOMAIN | library-ar.com | 2025-01-08 | 2025-01-08 |
| DOMAIN | yywjw.com | 2025-01-08 | 2025-01-08 |
| DOMAIN | templatez.org | 2025-01-08 | 2025-01-08 |
| DOMAIN | nettekiadres.com | 2025-01-08 | 2025-01-08 |
| DOMAIN | img2.w2img.com | 2025-01-08 | 2025-01-08 |
| DOMAIN | w2img.com | 2025-01-08 | 2025-01-08 |
| DOMAIN | aljazeera7.com | 2025-01-08 | 2025-01-08 |
| DOMAIN | caspian-pirates.org | 2025-01-08 | 2025-01-08 |
| DOMAIN | guerrilladns.com | 2025-01-08 | 2025-01-08 |
| DOMAIN | waterski21.com | 2025-01-08 | 2025-01-08 |
| DOMAIN | lpl38.com | 2025-01-08 | 2025-01-08 |
| DOMAIN | csthis.com | 2025-01-08 | 2025-01-08 |
| DOMAIN | odayexp.com | 2025-01-08 | 2025-01-08 |
| DOMAIN | emp3ror.com | 2025-01-08 | 2025-01-08 |
| DOMAIN | imhabirligi.com | 2025-01-08 | 2025-01-08 |
| DOMAIN | alturks.com | 2025-01-08 | 2025-01-08 |
| DOMAIN | precision-gaming.com | 2025-01-08 | 2025-01-08 |
| DOMAIN | ironwarez.info | 2025-01-08 | 2025-01-08 |
| DOMAIN | dcvi.net | 2025-01-08 | 2025-01-08 |
