Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: backdoor (8 articles)Clear

Stealthy Mistic backdoor gives ransomware access broker KongTuke lasting footholds

Symantec and Zscaler detailed Mistic, a stealthy new Windows backdoor used in intrusions since April and tied to KongTuke, an initial access broker that sells footholds to ransomware crews including Qilin, Akira, and Rhysida. Mistic is side-loaded through a legitimate Microsoft executable and a malicious DLL named to mimic endpoint-security software, runs payloads only in memory with nothing written to disk, and includes a self-delete kill switch, all aimed at long-term, low-visibility access. It is delivered through social-engineering lures such as fake CAPTCHAs and Microsoft Teams help-desk pretexts that trick users into running PowerShell commands. Defenders should watch for the unusual DLL side-loading pattern.

Check
Hunt for the legitimate MpExtMs.exe process side-loading unexpected DLLs, in-memory-only payloads, and signs of paste-and-run PowerShell delivered through fake CAPTCHAs or Microsoft Teams help-desk messages.
Affected
Enterprises across insurance, education, IT, and professional services targeted by KongTuke; a quiet, in-memory backdoor establishes durable access that is later sold to ransomware affiliates for deployment.
Fix
Train users against paste-and-run and fake IT-support lures, restrict PowerShell and script execution, deploy behavioral detection for DLL side-loading and in-memory backdoors, and apply the published indicators of compromise.

Hacked WordPress plugin updates push credential-stealing backdoor to paying sites

Attackers compromised the build pipeline of ShapedPlugin, a WordPress plugin maker, and slipped malware into legitimate updates delivered to paying customers through the vendor's own update system. The tainted releases install a fake plugin that impersonates WooCommerce components, steals site credentials, and gives attackers the ability to write files remotely. Three paid plugins are affected: Product Slider Pro for WooCommerce, Real Testimonials Pro, and Smart Post Show Pro. The backdoor was injected into Pro builds on May 21, with the first customer reports on June 10. Versions on WordPress.org stayed clean, pointing to a compromise of the vendor's release infrastructure rather than the plugins themselves.

Check
Check whether your WordPress sites run ShapedPlugin's Product Slider Pro, Real Testimonials Pro, or Smart Post Show Pro, and look for unfamiliar plugins impersonating WooCommerce components and new admin or file-write activity.
Affected
WordPress sites that updated the paid plugins Product Slider Pro (before 3.5.4), Real Testimonials Pro 3.2.5, or Smart Post Show Pro (before 4.0.2) between May 21 and the fix (tracked as CVE-2026-10735).
Fix
Update the affected ShapedPlugin products to fixed versions, remove any rogue WooCommerce-impersonating plugin, rotate all site and admin credentials, and scan the site for web shells and unauthorized file changes.

WordPress plugin supply-chain attack backdoors sites via Awesome Motive CDN

Attackers compromised the content-delivery network of Awesome Motive, one of the biggest WordPress plugin makers, and injected malicious JavaScript into files served for OptinMonster, TrustPulse, and PushEngage, plugins running on more than 1.2 million sites. Discovered by Sansec, the code only triggered when a logged-in WordPress administrator viewed an affected site, at which point it stole authentication tokens, created a hidden rogue admin account, and installed a self-concealing backdoor plugin that exposed a web shell. The bad files were served on June 12 to 14. Awesome Motive says attackers stole a CDN API key after breaching its marketing site, and has since rotated credentials.

Check
If your site runs OptinMonster, TrustPulse, or PushEngage, check for rogue admin accounts like developer_api1 or dev_xxxxxx and inspect wp-content/plugins for hidden backdoor plugins.
Affected
WordPress sites running OptinMonster, TrustPulse, or PushEngage where an administrator was logged in during the June 12 to 14 injection window; other Awesome Motive plugins should be treated cautiously.
Fix
Remove rogue admin accounts and backdoor plugins, then rotate administrator passwords, API keys, database credentials, and WordPress security salts. Update affected plugins and scan the site for further tampering.

Mr_Rot13 actor exploits cPanel CVE-2026-41940 to deploy cross-platform 'Filemanager' backdoor

QiAnXin XLab has tied the ongoing exploitation of cPanel's CVE-2026-41940 to a previously-quiet threat actor it tracks as Mr_Rot13, who has been operating since at least 2020. The attack chain exploits the cPanel and WHM authentication bypass to drop a Go-based infector that adds an attacker SSH key, plants a PHP web shell, and serves a fake login page to steal cPanel credentials (ROT13-encoded, exfiltrated to wrned[.]com). The final payload is a cross-platform backdoor called Filemanager that runs on Windows, macOS, and Linux. XLab counts over 2,000 attacker source IPs currently scanning for this flaw.

Check
Search cPanel and WHM authentication logs for unusual successful logins since April 28. Check /root/.ssh/authorized_keys on every cPanel host for unknown public keys, and search web roots for unfamiliar PHP files.
Affected
Any cPanel or WHM installation that was not patched against CVE-2026-41940 between disclosure on April 28, 2026, and now. Indicators of Mr_Rot13 compromise include the SSH public key added under root, the wrned[.]com credential exfiltration domain, the cp.dene[.]de[.]com infector source, and the wpsock[.]com Filemanager delivery domain.
Fix
If still unpatched, install the cPanel fix for CVE-2026-41940 immediately. On any host that was internet-exposed and unpatched, assume compromise: remove unknown SSH keys from root, sweep for unfamiliar PHP web shells, block the indicator domains wrned[.]com, cp.dene[.]de[.]com, and wpsock[.]com at egress, rotate cPanel and WHM root credentials, and check bash_history for evidence of attacker reconnaissance.

New Linux backdoor 'PamDOORa' silently steals SSH credentials from every user logging into a compromised server - and erases its tracks from the logs

Group-IB and Flare disclosed PamDOORa, a new Linux backdoor for sale on the Russian-speaking Rehub cybercrime forum at $900 (down from $1,600). PamDOORa hijacks the Linux Pluggable Authentication Module (PAM) framework that handles SSH logins - so it intercepts every legitimate user's password as they authenticate, before any application-level logging fires. The backdoor injects a malicious pam_linux.so module into the authentication stack rather than replacing files. It also tampers with lastlog, btmp, utmp, and wtmp to erase attacker login traces - meaning incident response teams who SSH in to investigate will have their own credentials silently stolen. Group-IB notes the abuse method is not yet in MITRE ATT&CK.

Check
Audit /etc/pam.d/ for unfamiliar pam_*.so modules, particularly pam_linux.so. Compare loaded PAM modules against your distribution's default set. Hunt /tmp for files with random names containing XOR-encrypted credential captures.
Affected
All x86_64 Linux servers running OpenSSH for remote access. PamDOORa is post-exploitation, so attackers must already have root - but once installed it captures every SSH credential and persists invisibly. Acute risk: any Linux server compromised at any point in the past, regardless of remediation - PamDOORa survives standard cleanup unless PAM-specific auditing was performed.
Fix
Enable SELinux or AppArmor in enforcing mode to constrain PAM module loading. Install Auditd with DISA-STIG rules to alert on /etc/pam.d/ changes. Deploy rkhunter or chkrootkit for routine PAM rootkit detection. Treat any compromised Linux server as having fully exposed credentials - rotate every SSH key, password, and token.

New Linux variant of GoGra backdoor uses Microsoft Graph API for stealth C2 - blends in with legitimate Office 365 traffic

Security Affairs covered new research on April 23 documenting a Linux port of the GoGra backdoor, originally seen as Windows-only. The Linux variant retains GoGra's defining feature: it uses Microsoft Graph API as its command-and-control channel, fetching commands from Outlook drafts in an attacker-controlled Microsoft 365 tenant and writing results back to the same drafts. Because the C2 traffic is HTTPS to graph.microsoft.com - the same endpoint legitimate clients hit constantly - it is invisible to most network-layer detections. The Linux port targets enterprise Linux servers with Outbound 443 access to Microsoft cloud services, broadening reach onto build servers and jump hosts.

Check
Audit which Linux servers in your environment have outbound HTTPS access to graph.microsoft.com and restrict it to hosts with a documented Microsoft 365 use case.
Affected
Linux servers with outbound HTTPS access to graph.microsoft.com - in most enterprise networks that means almost all of them, since egress filters routinely allow the entire Microsoft 365 endpoint range by default. Build servers, jump hosts, developer workstations, and DMZ services with Linux are the highest-value targets because they often hold credentials and source code.
Fix
Restrict graph.microsoft.com egress to only hosts that genuinely need it (mail relays, M365 integrations). On all other Linux hosts, log and alert on outbound graph.microsoft.com connections. In your M365 tenant, enable audit logging for application registrations and OAuth grants and alert on tokens used from unfamiliar IPs. Rotate credentials for any Linux server that had unsanctioned graph.microsoft.com traffic.

Attacker bought 30+ WordPress plugins on Flippa, planted backdoor in August 2025, activated it 8 months later across hundreds of thousands of sites

One of the most methodical WordPress supply chain attacks ever: a buyer known only as 'Kris' purchased the entire Essential Plugin portfolio (30+ free WordPress plugins) on the Flippa marketplace for six figures. In August 2025, they injected a PHP deserialization backdoor in version 2.6.7, disguised as a compatibility check for WordPress 6.8.2. The malicious code sat dormant for eight months, building trust. On April 5-6, 2026, the attacker activated it - the C2 domain analytics.essentialplugin[.]com began distributing payloads to every site running the compromised plugins. The backdoor injected cloaked SEO spam into wp-config.php, visible only to Googlebot. WordPress.org permanently closed all 31 plugins on April 7 and pushed a forced auto-update - but the cleanup only removed the phone-home code, not the wp-config.php modifications, meaning compromised sites still served spam after the 'fix'. This happened the same week as the Smart Slider 3 supply chain attack we reported April 11 - two different supply chain attacks via the WordPress trusted update channel in one week.

Check
Check if any of your WordPress sites use plugins from the Essential Plugin / WP Online Support author. The full list of 31 affected plugins includes Starter Templates, Starter Templates for Starter Template, Blog Designer, Countdown Timer Ultimate, Starter Templates Manager, and many more.
Affected
WordPress sites running any of the 31 Essential Plugin plugins that were active before April 8, 2026. The backdoor was present since version 2.6.7 (August 2025). Affected plugins include: Starter Templates for starter template themes, Blog Designer for Post and Widget, Countdown Timer Ultimate, Album and Image Gallery Plus Lightbox, Audio Player with Playlist Ultimate, and 26+ others.
Fix
If any affected plugin was active on your site: (1) Check wp-config.php for injected code and clean it manually - the WordPress.org forced update did NOT fix this. (2) Search for and remove wp-comments-posts.php if present. (3) Scan all files for additional payloads. (4) Rotate all admin and database credentials. (5) Check for hidden admin accounts. The WordPress.org forced update to 2.6.9.1 disabled the phone-home mechanism but did not remediate existing compromise. Treat affected sites as fully compromised.

Smart Slider 3 Pro update system hijacked - backdoored version pushed to 800,000+ WordPress sites via official channel

Attackers compromised Nextend's update infrastructure and pushed a fully weaponized version of Smart Slider 3 Pro (3.5.1.35) through the official WordPress and Joomla update channel on April 7. Sites with auto-updates enabled received a multi-layered remote access toolkit disguised as a legitimate plugin update. The malicious version was live for approximately six hours before detection. Patchstack's analysis found: unauthenticated remote command execution via crafted HTTP headers, a second authenticated backdoor with PHP eval and OS command execution, a hidden administrator account (prefixed wpsvc_) invisible in the admin interface, persistent backdoors planted in the active theme's functions.php and wp-config.php, and automated credential theft sent to an external server. Traditional defenses like firewalls, nonce verification, and role-based access controls are irrelevant here because the malicious code arrived through the trusted update channel. Affected sites should be considered fully compromised.

Check
Check if any of your WordPress or Joomla sites run Smart Slider 3 Pro. If you updated to version 3.5.1.35 on or after April 7, your site is compromised.
Affected
WordPress and Joomla sites running Smart Slider 3 Pro version 3.5.1.35 that updated between April 7, 2026 and detection ~6 hours later. The free version is not affected. Sites with auto-updates enabled were most at risk.
Fix
If you installed 3.5.1.35: restore from a backup dated April 5 or earlier (to account for time zones). If no backup is available: update to 3.5.1.36, remove the hidden admin user (check for wpsvc_ prefix), clean wp-config.php (remove WP_CACHE_SALT define), clean .htaccess (remove WPCacheSalt line), remove persistence files from theme's functions.php, delete backdoor files in /cache and /media directories, remove malicious wp_options entries (_wpc_ak, _wpc_uid, _wpc_uinfo, _perf_toolkit_source), reset all admin and database passwords, change FTP/SSH and hosting credentials, and enable 2FA for all admin accounts. Sites should be treated as fully compromised - credential theft means passwords are already in attacker hands.