GhostContainer backdoor for Exchange servers

July 17, 2025, 7:51 p.m.

Description

A sophisticated backdoor targeting Exchange servers of high-value organizations in Asia has been discovered. The malware, named GhostContainer, is a multi-functional backdoor that can be dynamically extended with additional modules. It leverages several open-source projects and employs various evasion techniques to avoid detection. The backdoor grants attackers full control over the Exchange server and can function as a proxy or tunnel. The malware is believed to be part of an APT campaign targeting government and high-tech companies in Asia. It includes components for C2 parsing, virtual page injection, and web proxy functionality. The attackers demonstrated expertise in exploiting Exchange systems and assembling sophisticated espionage tools.

External References

https://securelist.com/ghostcontainer/116953/
https://otx.alienvault.com/pulse/68790fea4a8a9331ee6ff876
Tags
backdoor
apt
evasion
proxy
open-source
asia
2025-07-17
exchange
ghostcontainer

Date

  • Created: July 17, 2025, 2:59 p.m.
  • Published: July 17, 2025, 2:59 p.m.
  • Modified: July 17, 2025, 7:51 p.m.

Indicators

  • 87a3aefb5cdf714882eb02051916371fbf04af2eb7a5ddeae4b6b441b2168e36
Download all indicators here!

Additional Informations

  • Technology
  • Government