Summary: A cybersecurity operation by watchTowr Labs has successfully hijacked over 4,000 unique web backdoors by taking control of abandoned domains, allowing them to track compromised systems and potentially commandeer them. This initiative highlights vulnerabilities in the infrastructure used by various threat actors, revealing significant oversight in their operations.

Threat Actor: Various threat actors | various threat actors
Victim: Government entities and academic institutions | government entities and academic institutions

Key Point :

• WatchTowr Labs registered over 40 domains to hijack backdoors reliant on abandoned infrastructure.
• The operation allowed tracking of compromised hosts as they communicated with the hijacked domains.
• Compromised targets included government and academic institutions from multiple countries.
• Web shells like c99shell and r57shell were identified, capable of executing commands and performing file operations.
• Some web shells were backdoored, leaking deployment locations to other threat actors.
• The operation revealed that attackers can make significant oversights, similar to defenders.