{ "type": "Domain", "indicator": "microsoft-beta.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/microsoft-beta.com", "alexa": "http://www.alexa.com/siteinfo/microsoft-beta.com", "indicator": "microsoft-beta.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4041185513, "indicator": "microsoft-beta.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "67c066362e3ef75c6173eab4", "name": "Squidoor: Suspected Chinese Threat Actor\u2019s Backdoor Targets Global Organizations", "description": "Since at least March 2023, a suspected Chinese threat actor has been targeting government, defense, telecommunications, education, and aviation sectors in Southeast Asia and South America. The attackers employ a sophisticated backdoor known as Squidoor, which affects both Windows and Linux systems. Squidoor is modular and designed for stealth, utilizing multiple communication protocols\u2014including Outlook API, DNS tunneling, and ICMP tunneling\u2014to establish covert channels with command and control servers. Initial access is typically achieved by exploiting vulnerabilities in Internet Information Services (IIS) servers, followed by the deployment of obfuscated web shells for persistent access.", "modified": "2025-03-29T13:00:48.397000", "created": "2025-02-27T13:18:46.410000", "tags": [ "squidoor", "backdoor", "apt", "espionage" ], "references": [ "https://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/" ], "public": 1, "adversary": "Squidoor", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [ "Government", "Education", "Defense", "Aerospace" ], "TLP": "white", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 22, "domain": 3, "hostname": 2 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 386514, "modified_text": "427 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672f6ed2b564f00b7c5cb13f", "name": "Threatfox Recent Additions", "description": "", "modified": "2025-06-13T19:00:02.811000", "created": "2024-11-09T14:16:50.032000", "tags": [], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 96, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 47587, "URL": 18714, "FileHash-SHA256": 36311, "FileHash-MD5": 1630, "FileHash-SHA1": 418, "hostname": 18190 }, "indicator_count": 122850, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "351 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d345231c2eccfcce4d97ce", "name": "Squidoor Backdoor Malware Exploits IIS Servers for Stealthy Attacks", "description": "A highly advanced backdoor malware, dubbed \"Squidoor,\" is being used by suspected Chinese threat actors to target organizations in South America and Southeast Asia. The malware is designed for stealth and persistence, enabling attackers to maintain access to compromised networks while evading detection.", "modified": "2025-04-12T20:04:25.096000", "created": "2025-03-13T20:50:43.530000", "tags": [ "squidoor", "figure", "pastebin", "windows", "c2 server", "windows version", "southeast asia", "south america", "linux", "outlook api", "alliance", "icmp", "impacket", "code", "powershell", "february", "protect", "chinese" ], "references": [ "https://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "Squidoor", "display_name": "Squidoor", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Defense", "Telecommunication", "Education", "Aviation" ], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 22, "FileHash-SHA1": 22, "FileHash-SHA256": 22, "domain": 4, "hostname": 2 }, "indicator_count": 72, "is_author": false, "is_subscribing": null, "subscriber_count": 214, "modified_text": "413 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c12f0d27427e63858406d0", "name": "IOC&TTP - Squidoor: Suspected Chinese Threat Actor\u2019s Backdoor Targets Global Organizations", "description": "\u672c\u6587\u5206\u6790\u4e86\u4e00\u7ec4\u6076\u610f\u6d3b\u52a8\uff0c\u7f16\u53f7\u4e3a CL-STA-0049\u3002\u81ea 2023\u5e743\u6708 \u4ee5\u6765\uff0c\u8be5\u6d3b\u52a8\u7591\u4f3c\u7531\u4e2d\u56fd\u80cc\u666f\u7684\u5a01\u80c1\u884c\u4e3a\u8005\u53d1\u8d77\uff0c\u4e3b\u8981\u9488\u5bf9 \u4e1c\u5357\u4e9a\u548c\u5357\u7f8e\u5730\u533a \u7684\u653f\u5e9c\u3001\u56fd\u9632\u3001\u7535\u4fe1\u3001\u6559\u80b2\u548c\u822a\u7a7a\u9886\u57df\u7684\u7ec4\u7ec7\u3002\u653b\u51fb\u8005\u7684\u4e3b\u8981\u76ee\u6807\u5305\u62ec \u7a83\u53d6\u654f\u611f\u4fe1\u606f\uff0c\u7279\u522b\u662f\u6d89\u53ca\u9ad8\u5c42\u5b98\u5458\u53ca\u76f8\u5173\u4e2a\u4eba\u7684\u6570\u636e\u3002\n\n\u8c03\u67e5\u8fc7\u7a0b\u4e2d\uff0c\u7814\u7a76\u4eba\u5458\u63ed\u793a\u4e86\u8be5\u653b\u51fb\u8005\u7684 \u6218\u672f\u3001\u6280\u672f\u4e0e\u7a0b\u5e8f\uff08TTPs\uff09\uff0c\u5305\u62ec \u653b\u51fb\u6d41\u7a0b\u3001\u901a\u8fc7Web Shell\u8fdb\u884c\u521d\u59cb\u6e17\u900f \u53ca \u9690\u853d\u901a\u4fe1\u6e20\u9053\u3002\u5176\u4e2d\uff0c\u653b\u51fb\u8005\u5229\u7528\u4e86\u4e00\u79cd \u65b0\u578b\u590d\u6742\u7684\u540e\u95e8\u7a0b\u5e8f\u2014\u2014Squidoor\uff08\u53c8\u540dFinalDraft\uff09\uff0c\u9002\u7528\u4e8e Windows \u548c Linux \u5e73\u53f0\u3002\u672c\u7814\u7a76\u9996\u6b21\u63ed\u793a\u4e86 Squidoor \u7684 Windows \u53d8\u79cd\uff0c\u5e76\u6df1\u5165\u5206\u6790\u4e86\u5176 \u6307\u6325\u4e0e\u63a7\u5236\uff08C2\uff09\u901a\u4fe1\u673a\u5236\u3002\n\nSquidoor \u5177\u5907\u4ee5\u4e0b\u7279\u6027\uff1a\n\n\u91c7\u7528 \u6a21\u5757\u5316\u8bbe\u8ba1\uff0c\u652f\u6301\u591a\u79cd\u9690\u853d\u901a\u4fe1\u65b9\u5f0f\uff0c\u5305\u62ec\uff1a\nOutlook API\nDNS \u96a7\u9053\nICMP \u96a7\u9053\n\u5177\u5907 \u4fe1\u606f\u6536\u96c6\u3001\u8fdc\u7a0b\u547d\u4ee4\u6267\u884c\u3001\u8fdb\u7a0b\u6ce8\u5165 \u548c \u6a2a\u5411\u79fb\u52a8 \u7b49\u529f\u80fd\u3002\n\u901a\u8fc7 Microsoft Console Debugger (cdb.exe) \u8fdb\u884c \u4ee3\u7801\u6ce8\u5165\uff0c\u4ee5\u89c4\u907f\u68c0\u6d4b\u3002\n\u5229\u7528 Web Shell \u8fdb\u884c \u521d\u59cb\u8bbf\u95ee\uff0c\u5e76\u90e8\u7f72\u591a\u4e2a\u53d8\u79cd\uff0c\u5982\uff1a\nOutlookDC.aspx\nError.aspx\nTimeoutAPI.aspx\n\u901a\u8fc7 Pastebin \u5b58\u50a8\u548c\u7ba1\u7406\u6076\u610f\u7ec4\u4ef6\u53ca API \u8bbf\u95ee\u4ee4\u724c\u3002\n\u7814\u7a76\u8868\u660e\uff0c\u653b\u51fb\u8005 \u4e3b\u8981\u5229\u7528 IIS \u670d\u52a1\u5668\u6f0f\u6d1e \u8fdb\u884c\u5165\u4fb5\uff0c\u5e76\u4f7f\u7528\u591a\u79cd\u6280\u672f \u5728\u53d7\u5bb3\u7f51\u7edc\u5185\u90e8\u6269\u5c55\u63a7\u5236\u6743\uff0c\u4ee5\u589e\u5f3a \u6301\u4e45\u6027\u548c\u9690\u533f\u6027\u3002Squidoor \u5177\u5907 10\u79cdWindows C2\u901a\u4fe1\u65b9\u6cd5 \u548c 9\u79cdLinux C2\u901a\u4fe1\u65b9\u6cd5\uff0c\u80fd\u591f\u9002\u5e94\u4e0d\u540c\u653b\u51fb\u573a\u666f\u5e76\u964d\u4f4e\u88ab\u53d1\u73b0\u7684\u98ce\u9669\u3002", "modified": "2025-03-29T13:00:48.397000", "created": "2025-02-28T03:35:41.599000", "tags": [ "squidoor", "backdoor", "apt", "espionage" ], "references": [ "https://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/" ], "public": 1, "adversary": "Squidoor", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [ "Government", "Education", "Defense", "Aerospace" ], "TLP": "white", "cloned_from": "67c066362e3ef75c6173eab4", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 22, "domain": 3, "hostname": 2 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "427 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c14eb2274e6f1a616cfb88", "name": "Squidoor: Suspected Chinese Threat Actor\u2019s Backdoor Targets Global Organizations", "description": "", "modified": "2025-03-29T13:00:48.397000", "created": "2025-02-28T05:50:42.508000", "tags": [ "squidoor", "backdoor", "apt", "espionage" ], "references": [ "https://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/" ], "public": 1, "adversary": "Squidoor", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [ "Government", "Education", "Defense", "Aerospace" ], "TLP": "white", "cloned_from": "67c066362e3ef75c6173eab4", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 22, "domain": 3, "hostname": 2 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "427 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c059a1bd914ff0f240ce76", "name": "Squidoor: Suspected Chinese Threat Actor\u2019s Backdoor Targets Global Organizations", "description": "A suspected Chinese threat actor has targeted governments, telecommunication and aviation sectors in Southeast Asia and South America, according to research carried out by Palo Alto Networks and the International Institute of Strategic Studies (IISS).", "modified": "2025-03-29T12:02:30.930000", "created": "2025-02-27T12:25:04.346000", "tags": [ "squidoor", "figure", "pastebin", "windows", "c2 server", "windows version", "southeast asia", "south america", "linux", "outlook api", "alliance", "icmp", "impacket", "code", "powershell", "february", "protect", "chinese" ], "references": [ "https://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "Squidoor", "display_name": "Squidoor", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Defense", "Telecommunication", "Education", "Aviation" ], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 22, "domain": 4, "hostname": 2 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "427 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c049bf63a59cb4293d9b1d", "name": "Squidoor: Suspected Chinese Threat Actor\u2019s Backdoor Targets Global Organizations", "description": "A suspected Chinese threat actor has targeted governments, telecommunication and aviation sectors in Southeast Asia and South America, according to research carried out by Palo Alto Networks and the International Institute of Strategic Studies (IISS).", "modified": "2025-03-29T11:00:07.077000", "created": "2025-02-27T11:17:19.641000", "tags": [ "squidoor", "figure", "pastebin", "windows", "c2 server", "windows version", "southeast asia", "south america", "linux", "outlook api", "alliance", "icmp", "impacket", "code", "powershell", "february", "protect", "chinese" ], "references": [ "https://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "Squidoor", "display_name": "Squidoor", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Defense", "Telecommunication", "Education", "Aviation" ], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Aaryanaggarwal", "id": "289580", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 22, "domain": 4, "hostname": 2 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 32, "modified_text": "428 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "https://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/", "https://threatfox.abuse.ch/export/csv/recent/" ], "related": { "alienvault": { "adversary": [ "Squidoor" ], "malware_families": [], "industries": [ "Government", "Defense", "Aerospace", "Education" ] }, "other": { "adversary": [ "Squidoor" ], "malware_families": [ "Windows", "Chinese", "Squidoor" ], "industries": [ "Aviation", "Telecommunication", "Defense", "Education", "Aerospace", "Government" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "67c066362e3ef75c6173eab4", "name": "Squidoor: Suspected Chinese Threat Actor\u2019s Backdoor Targets Global Organizations", "description": "Since at least March 2023, a suspected Chinese threat actor has been targeting government, defense, telecommunications, education, and aviation sectors in Southeast Asia and South America. The attackers employ a sophisticated backdoor known as Squidoor, which affects both Windows and Linux systems. Squidoor is modular and designed for stealth, utilizing multiple communication protocols\u2014including Outlook API, DNS tunneling, and ICMP tunneling\u2014to establish covert channels with command and control servers. Initial access is typically achieved by exploiting vulnerabilities in Internet Information Services (IIS) servers, followed by the deployment of obfuscated web shells for persistent access.", "modified": "2025-03-29T13:00:48.397000", "created": "2025-02-27T13:18:46.410000", "tags": [ "squidoor", "backdoor", "apt", "espionage" ], "references": [ "https://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/" ], "public": 1, "adversary": "Squidoor", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [ "Government", "Education", "Defense", "Aerospace" ], "TLP": "white", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 22, "domain": 3, "hostname": 2 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 386514, "modified_text": "427 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672f6ed2b564f00b7c5cb13f", "name": "Threatfox Recent Additions", "description": "", "modified": "2025-06-13T19:00:02.811000", "created": "2024-11-09T14:16:50.032000", "tags": [], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 96, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 47587, "URL": 18714, "FileHash-SHA256": 36311, "FileHash-MD5": 1630, "FileHash-SHA1": 418, "hostname": 18190 }, "indicator_count": 122850, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "351 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d345231c2eccfcce4d97ce", "name": "Squidoor Backdoor Malware Exploits IIS Servers for Stealthy Attacks", "description": "A highly advanced backdoor malware, dubbed \"Squidoor,\" is being used by suspected Chinese threat actors to target organizations in South America and Southeast Asia. The malware is designed for stealth and persistence, enabling attackers to maintain access to compromised networks while evading detection.", "modified": "2025-04-12T20:04:25.096000", "created": "2025-03-13T20:50:43.530000", "tags": [ "squidoor", "figure", "pastebin", "windows", "c2 server", "windows version", "southeast asia", "south america", "linux", "outlook api", "alliance", "icmp", "impacket", "code", "powershell", "february", "protect", "chinese" ], "references": [ "https://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "Squidoor", "display_name": "Squidoor", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Defense", "Telecommunication", "Education", "Aviation" ], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 22, "FileHash-SHA1": 22, "FileHash-SHA256": 22, "domain": 4, "hostname": 2 }, "indicator_count": 72, "is_author": false, "is_subscribing": null, "subscriber_count": 214, "modified_text": "413 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c12f0d27427e63858406d0", "name": "IOC&TTP - Squidoor: Suspected Chinese Threat Actor\u2019s Backdoor Targets Global Organizations", "description": "\u672c\u6587\u5206\u6790\u4e86\u4e00\u7ec4\u6076\u610f\u6d3b\u52a8\uff0c\u7f16\u53f7\u4e3a CL-STA-0049\u3002\u81ea 2023\u5e743\u6708 \u4ee5\u6765\uff0c\u8be5\u6d3b\u52a8\u7591\u4f3c\u7531\u4e2d\u56fd\u80cc\u666f\u7684\u5a01\u80c1\u884c\u4e3a\u8005\u53d1\u8d77\uff0c\u4e3b\u8981\u9488\u5bf9 \u4e1c\u5357\u4e9a\u548c\u5357\u7f8e\u5730\u533a \u7684\u653f\u5e9c\u3001\u56fd\u9632\u3001\u7535\u4fe1\u3001\u6559\u80b2\u548c\u822a\u7a7a\u9886\u57df\u7684\u7ec4\u7ec7\u3002\u653b\u51fb\u8005\u7684\u4e3b\u8981\u76ee\u6807\u5305\u62ec \u7a83\u53d6\u654f\u611f\u4fe1\u606f\uff0c\u7279\u522b\u662f\u6d89\u53ca\u9ad8\u5c42\u5b98\u5458\u53ca\u76f8\u5173\u4e2a\u4eba\u7684\u6570\u636e\u3002\n\n\u8c03\u67e5\u8fc7\u7a0b\u4e2d\uff0c\u7814\u7a76\u4eba\u5458\u63ed\u793a\u4e86\u8be5\u653b\u51fb\u8005\u7684 \u6218\u672f\u3001\u6280\u672f\u4e0e\u7a0b\u5e8f\uff08TTPs\uff09\uff0c\u5305\u62ec \u653b\u51fb\u6d41\u7a0b\u3001\u901a\u8fc7Web Shell\u8fdb\u884c\u521d\u59cb\u6e17\u900f \u53ca \u9690\u853d\u901a\u4fe1\u6e20\u9053\u3002\u5176\u4e2d\uff0c\u653b\u51fb\u8005\u5229\u7528\u4e86\u4e00\u79cd \u65b0\u578b\u590d\u6742\u7684\u540e\u95e8\u7a0b\u5e8f\u2014\u2014Squidoor\uff08\u53c8\u540dFinalDraft\uff09\uff0c\u9002\u7528\u4e8e Windows \u548c Linux \u5e73\u53f0\u3002\u672c\u7814\u7a76\u9996\u6b21\u63ed\u793a\u4e86 Squidoor \u7684 Windows \u53d8\u79cd\uff0c\u5e76\u6df1\u5165\u5206\u6790\u4e86\u5176 \u6307\u6325\u4e0e\u63a7\u5236\uff08C2\uff09\u901a\u4fe1\u673a\u5236\u3002\n\nSquidoor \u5177\u5907\u4ee5\u4e0b\u7279\u6027\uff1a\n\n\u91c7\u7528 \u6a21\u5757\u5316\u8bbe\u8ba1\uff0c\u652f\u6301\u591a\u79cd\u9690\u853d\u901a\u4fe1\u65b9\u5f0f\uff0c\u5305\u62ec\uff1a\nOutlook API\nDNS \u96a7\u9053\nICMP \u96a7\u9053\n\u5177\u5907 \u4fe1\u606f\u6536\u96c6\u3001\u8fdc\u7a0b\u547d\u4ee4\u6267\u884c\u3001\u8fdb\u7a0b\u6ce8\u5165 \u548c \u6a2a\u5411\u79fb\u52a8 \u7b49\u529f\u80fd\u3002\n\u901a\u8fc7 Microsoft Console Debugger (cdb.exe) \u8fdb\u884c \u4ee3\u7801\u6ce8\u5165\uff0c\u4ee5\u89c4\u907f\u68c0\u6d4b\u3002\n\u5229\u7528 Web Shell \u8fdb\u884c \u521d\u59cb\u8bbf\u95ee\uff0c\u5e76\u90e8\u7f72\u591a\u4e2a\u53d8\u79cd\uff0c\u5982\uff1a\nOutlookDC.aspx\nError.aspx\nTimeoutAPI.aspx\n\u901a\u8fc7 Pastebin \u5b58\u50a8\u548c\u7ba1\u7406\u6076\u610f\u7ec4\u4ef6\u53ca API \u8bbf\u95ee\u4ee4\u724c\u3002\n\u7814\u7a76\u8868\u660e\uff0c\u653b\u51fb\u8005 \u4e3b\u8981\u5229\u7528 IIS \u670d\u52a1\u5668\u6f0f\u6d1e \u8fdb\u884c\u5165\u4fb5\uff0c\u5e76\u4f7f\u7528\u591a\u79cd\u6280\u672f \u5728\u53d7\u5bb3\u7f51\u7edc\u5185\u90e8\u6269\u5c55\u63a7\u5236\u6743\uff0c\u4ee5\u589e\u5f3a \u6301\u4e45\u6027\u548c\u9690\u533f\u6027\u3002Squidoor \u5177\u5907 10\u79cdWindows C2\u901a\u4fe1\u65b9\u6cd5 \u548c 9\u79cdLinux C2\u901a\u4fe1\u65b9\u6cd5\uff0c\u80fd\u591f\u9002\u5e94\u4e0d\u540c\u653b\u51fb\u573a\u666f\u5e76\u964d\u4f4e\u88ab\u53d1\u73b0\u7684\u98ce\u9669\u3002", "modified": "2025-03-29T13:00:48.397000", "created": "2025-02-28T03:35:41.599000", "tags": [ "squidoor", "backdoor", "apt", "espionage" ], "references": [ "https://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/" ], "public": 1, "adversary": "Squidoor", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [ "Government", "Education", "Defense", "Aerospace" ], "TLP": "white", "cloned_from": "67c066362e3ef75c6173eab4", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 22, "domain": 3, "hostname": 2 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "427 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c14eb2274e6f1a616cfb88", "name": "Squidoor: Suspected Chinese Threat Actor\u2019s Backdoor Targets Global Organizations", "description": "", "modified": "2025-03-29T13:00:48.397000", "created": "2025-02-28T05:50:42.508000", "tags": [ "squidoor", "backdoor", "apt", "espionage" ], "references": [ "https://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/" ], "public": 1, "adversary": "Squidoor", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [ "Government", "Education", "Defense", "Aerospace" ], "TLP": "white", "cloned_from": "67c066362e3ef75c6173eab4", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 22, "domain": 3, "hostname": 2 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "427 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c059a1bd914ff0f240ce76", "name": "Squidoor: Suspected Chinese Threat Actor\u2019s Backdoor Targets Global Organizations", "description": "A suspected Chinese threat actor has targeted governments, telecommunication and aviation sectors in Southeast Asia and South America, according to research carried out by Palo Alto Networks and the International Institute of Strategic Studies (IISS).", "modified": "2025-03-29T12:02:30.930000", "created": "2025-02-27T12:25:04.346000", "tags": [ "squidoor", "figure", "pastebin", "windows", "c2 server", "windows version", "southeast asia", "south america", "linux", "outlook api", "alliance", "icmp", "impacket", "code", "powershell", "february", "protect", "chinese" ], "references": [ "https://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "Squidoor", "display_name": "Squidoor", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Defense", "Telecommunication", "Education", "Aviation" ], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 22, "domain": 4, "hostname": 2 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "427 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c049bf63a59cb4293d9b1d", "name": "Squidoor: Suspected Chinese Threat Actor\u2019s Backdoor Targets Global Organizations", "description": "A suspected Chinese threat actor has targeted governments, telecommunication and aviation sectors in Southeast Asia and South America, according to research carried out by Palo Alto Networks and the International Institute of Strategic Studies (IISS).", "modified": "2025-03-29T11:00:07.077000", "created": "2025-02-27T11:17:19.641000", "tags": [ "squidoor", "figure", "pastebin", "windows", "c2 server", "windows version", "southeast asia", "south america", "linux", "outlook api", "alliance", "icmp", "impacket", "code", "powershell", "february", "protect", "chinese" ], "references": [ "https://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "Squidoor", "display_name": "Squidoor", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Defense", "Telecommunication", "Education", "Aviation" ], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Aaryanaggarwal", "id": "289580", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 22, "domain": 4, "hostname": 2 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 32, "modified_text": "428 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "microsoft-beta.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "microsoft-beta.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780225355.5408092 }