Squidoor: Suspected Chinese Threat Actor’s Backdoor Targets Global Organizations

Feb. 27, 2025, 1:48 p.m.

Description

Since at least March 2023, a suspected Chinese threat actor has been targeting government, defense, telecommunications, education, and aviation sectors in Southeast Asia and South America. The attackers employ a sophisticated backdoor known as Squidoor, which affects both Windows and Linux systems. Squidoor is modular and designed for stealth, utilizing multiple communication protocols—including Outlook API, DNS tunneling, and ICMP tunneling—to establish covert channels with command and control servers. Initial access is typically achieved by exploiting vulnerabilities in Internet Information Services (IIS) servers, followed by the deployment of obfuscated web shells for persistent access.

External References

https://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/
https://otx.alienvault.com/pulse/67c066362e3ef75c6173eab4
Tags
backdoor
apt
espionage
2025-02-27
squidoor

Date

  • Created: Feb. 27, 2025, 1:18 p.m.
  • Published: Feb. 27, 2025, 1:18 p.m.
  • Modified: Feb. 27, 2025, 1:48 p.m.

Indicators

  • fa2a6dbc83fe55df848dfcaaf3163f8aaefe0c9727b3ead1da6b9fa78b598f2b
  • f663149d618be90e5596b28103d38e963c44a69a5de4a1be62547259ca9ffd2d
  • e8d6fb67b3fd2a8aa608976bcb93601262d7a95d37f6bae7c0a45b02b3b325ad
  • a7d76e0f7eab56618f4671b5462f5c210f3ca813ff266f585bb6a58a85374156
  • c8a5388e7ff682d3c16ab39e578e6c529f5e23a183cd5cbf094014e0225e2e0a
  • 945313edd0703c966421211078911c4832a0d898f0774f049026fc8c9e7d1865
  • 82e68dc50652ab6c7734ee913761d04b37429fca90b7be0711cd33391febff0a
  • 81bd2a8d68509dd293a31ddd6d31262247a9bde362c98cf71f86ae702ba90db4
  • 8187240dafbc62f2affd70da94295035c4179c8e3831cb96bdd9bd322e22d029
  • 6c1d918b33b1e6dab948064a59e61161e55fccee383e523223213aa2c20c609c
  • 7c6d29cb1f3f3e956905016f0171c2450cca8f70546eee56cface7ba31d78970
  • 5dd361bcc9bd33af26ff28d321ad0f57457e15b4fab6f124f779a01df0ed02d0
  • 461f5969b8f2196c630f0868c2ac717b11b1c51bc5b44b87f5aad19e001869cc
  • 3fcfc4cb94d133563b17efe03f013e645fa2f878576282805ff5e58b907d2381
  • 33689ac745d204a2e5de76bc976c904622508beda9c79f9d64c460ebe934c192
  • 2b6080641239604c625d41857167fea14b6ce47f6d288dc7eb5e88ae848aa57f
  • 265ceb5184cac76477f5bc2a2bf74c39041c29b33a8eb8bd1ab22d92d6bebaf5
  • 224becf3f19a3f69ca692d83a6fabfd2d78bab10f4480ff6da9716328e8fc727
  • 1dd423ff0106b15fd100dbc24c3ae9f9860a1fcdb6a871a1e27576f6681a0850
  • f45661ea4959a944ca2917454d1314546cc0c88537479e00550eef05bed5b1b9
  • 83406905710e52f6af35b4b3c27549a12c28a628c492429d3a411fdb2d28cc8c
  • 9f62c1d330dddad347a207a6a565ae07192377f622fa7d74af80705d800c6096
  • 47.76.224.93
  • 209.141.40.254
  • 104.244.72.123
  • zimbra-beta.info
  • microsoftapimap.com
  • microsoft-beta.com
  • update.hobiter.com
  • support.vmphere.com
Download all indicators here!

Attack Patterns

  • Squidoor
  • T1095
  • T1505
  • T1071
  • T1027
  • T1041
  • T1190
  • T1078

Additional Informations

  • Aerospace
  • Defense
  • Education
  • Government