Islamic Nonprofit Infiltrated for 3 Years With Silent Backdoor

Saudi Arabia charity was under surveillance with the modified reverse proxy tool, researchers discovered.

Security researchers recently uncovered a stealthy espionage campaign targeting an Islamic charitable nonprofit organization in Saudi Arabia.
The long-term campaign — apparently active since March 2021 — relies on a previously unreported custom backdoor, dubbed Zardoor, researchers at Cisco Talos reported. The malware exfiltrates data from the victim organization — which Cisco did not identify — approximately twice a month.
The deployment of modified reverse-proxy tools and the ability to evade detection for more than two years means that the assault is likely the work of an advanced attacker, the researchers say.
Security researchers have yet to identify any other victims of the Zardoor malware besides the Saudi Arabia-based charity.
Zardoors use of reverse proxy tools matches the tactics of several
Chinese advanced persistent threat (APT) groups
, according to Cisco Talos, but the choice of the compromised target does not align with the known objectives of
Chinese espionage groups
.
APT groups using reverse proxy tools is relatively common, overall, says Chris Morgan, senior cyber threat intelligence analyst at ReliaQuest Threat Research.
Russias APT29, the Chinese-backed
Volt Typhoon
group, North Koreas
Lazarus group
, and various Iranian state-sponsored groups, including Phosphorus, are among the roster of nation-state groups that employ reverse proxy tools.
Reverse proxies are normally used as load balancers in complex system and application architectures. However, malicious actors abuse the technology to set up communications with otherwise unreachable systems such as RDP servers, domain controllers, files, or database servers on compromised networks.
Reverse proxies function by allowing covert communications channels to be established between internal systems on a compromised network and external servers controlled by an adversarial group, says Christoph Cemper, founder and CEO of AIPRM.
At a technical level, this is accomplished by the adversary deploying both a reverse proxy client component within the target environment and a corresponding server interface that they control remotely, he adds. Network traffic is then redirected through this multipart bidirectional tunnel in a manner that obscures the ultimate source and destination.
Cemper explains that adversaries frequently take steps to disguise these proxy-facilitated connections as normal Web or Internet activity, such as routing communications over ports associated with common protocols like HTTPS and embedding the redirects within legitimate domain names or IP addresses.
The incorporation of widely supported standards like
TLS encryption
also shields the content and parameters of transmitted data from routine inspection or detection, he says.
According to Cisco Talos
technical blog post
, the Zardoor campaign began with an as-yet-unknown attack vector.
The attackers subsequently set up a command and control mechanism for the attack using open source reverse proxy tools such as Fast Reverse Proxy (FRP), a customized version of the Socks Linux server and Venom, a penetration-testing tool for running security audits.
Once a foothold into the victims network was established, the attackers used Windows Management Instrumentation (WMI) for lateral movement and planting the Zardoor malware.
Zardoor establishes a persistent backdoor that communicates with the attackers command-and-control (C2) setup, allowing them to issue commands, such as to deploy updated malware packages or exfiltrate data. The malware is programmed to grab encrypted data and upload it to the attackers C2 infrastructure.
Zar32.dll is a malicious library and one of the main components of Zardoor. It is an HTTP/SSL remote access tool (RAT) designed to piggyback on legitimate network applications, and operates through a Socks or HTTPS proxy. The malware abuses IP addresses used by CloudFlare DNS services.
Cisco has added detection for the Zardoor malware to its enterprise security tools and published indications of compromise, moves that will likely spur the rest of the vendor community to add similar detection and response capabilities.
Even enterprises using security products other than Ciscos have options to improve their resilience, says AIPRMs Cemper. Specifically, security teams should follow standard protocols for addressing new malware threats identified in the wild: Review the indicators of compromise published by threat researchers and check systems and network activity logs for any traces suggesting infection.
In addition, he advises, ensure that anti-malware and intrusion detection products are armed with updated signatures for the malware.
Cisco Talos recommends employing a defense-in-depth security posture to defend against similar threats. Unfortunately, as we know it all too well, there is no 100% effective protection against persistent and advanced adversaries, and users need to be able to detect the attack if it successfully evades the protection layers, a Cisco spokesperson said.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Islamic Nonprofit Infiltrated for 3 Years With Silent Backdoor