New GhostContainer backdoor discovered that threatens Asian companies’ Exchange instances

Kaspersky Lab specialists have discovered a new backdoor called GhostContainer, based on open-source tools. Researchers believe the appearance of this malware may be part of a sophisticated targeted campaign targeting large organizations in Asia, including high-tech companies. The attackers are presumably aiming for cyber espionage.

The malware was discovered in response to an incident involving attacks on Exchange infrastructure in the public sector. The researchers focused on the App_Web_Container_1.dll file, which turned out to be a complex, multifunctional backdoor based on several open-source projects. The malware can dynamically expand and acquire new functionality by loading additional modules.

Installing a backdoor gives attackers full control over the Exchange server, opening up numerous opportunities for further malicious activity. The malware uses various methods to evade detection and disguises itself as a server component to blend in with standard operations.

The backdoor can act as a proxy or tunnel server, which, according to experts, exposes the company’s entire internal network to external threats and also creates the risk of confidential data leakage.

“Our research has shown that attackers are highly technically skilled: they understand the vulnerabilities of Exchange systems and are capable of creating and improving complex espionage tools based on publicly available code.”

Kaspersky also added, “Although the first incidents were recorded in Asia, there is a possibility that attackers could use the malware discovered in other regions. While there is currently insufficient information to attribute GhostContainer to a known group, we will continue to monitor the backdoor’s activity to better understand the threat landscape,” comments Sergey Lozhkin, GReAT head for the APAC and META regions.

Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.

Redazione

The Red Hot Cyber Editorial Team provides daily updates on bugs, data breaches, and global threats. Every piece of content is validated by our community of experts, including Pietro Melillo, Massimiliano Brolli, Sandro Sana, Olivia Terragni, and Stefano Gazzella. Through synergy with our industry-leading partners—such as Accenture, CrowdStrike, Trend Micro, and Fortinet—we transform technical complexity into collective awareness. We ensure information accuracy by analyzing primary sources and maintaining a rigorous technical peer-review process.