Security researchers at WatchTowr Labs have discovered thousands of active web backdoors hijacked by registering expired domains used to control them. These backdoors, found on systems belonging to governments, universities, and other organizations, provide persistent access for malicious actors.
By registering expired domains associated with these backdoors, researchers gained control and observed communication from over 4,000 compromised systems. This included systems within government networks in China, Nigeria, and Bangladesh, as well as educational institutions in Thailand, China, and South Korea.
The research highlights the ongoing threat posed by abandoned infrastructure. Even after initial attacks, expired domains associated with backdoors can still be exploited by other cybercriminals. This underscores the importance of proper security measures and the need for organizations to regularly review and update their security posture.
WatchTowr Labs, in collaboration with The Shadowserver Foundation, is now monitoring these hijacked domains to prevent their re-use by malicious actors.