ShroudedSnooper Backdoors Use Ultra-Stealth in Mideast Telecom Attacks

The threat cluster hasnt been seen before, but its custom Windows server backdoors have researchers intrigued thanks to their extremely effective stealth mechanisms.

A potentially novel threat actor recently compromised two
Middle East-based telecommunications organizations
, using two backdoors with previously unseen methods for stealthily loading malicious shellcode onto a target system.
In a report shared with Dark Reading, Cisco Talos named the intrusion set ShroudedSnooper, as it could not correlate the activity with any previously identified groups.
ShroudedSnooper employs two backdoors — HTTPSnoop and PipeSnoop — with extensive anti-detection mechanisms, including masquerading as popular software products and infecting low-level components of Windows servers. Once implanted, they execute shellcode to give cyberattackers a persistent foothold on the victims networks, with the ability to
move laterally, exfiltrate data, or drop additional malware
.
I have to say: these are extremely stealthy, says Vitor Ventura, lead security researcher with Cisco Talos. They will hide in plain sight. And its incredibly hard to distinguish their bad behavior from good. Its pretty clever.
Its unclear how ShroudedSnooper intrusions are achieved, though researchers guess that the attackers likely exploit vulnerable, Internet-facing servers before using HTTPSnoop — packaged either as a dynamic-link library or an executable file — to cement initial access.
Instead of taking the conventional route of
dropping a Web shell
on a targeted Windows server, HTTPSnoop takes a stealthier, more circuitous approach, using low-level
Windows APIs
to interface directly with the HTTP server in a targeted system.
Like a parasite, it uses kernel-level access to bind itself to specific HTTP(S) URL patterns, then listens for incoming requests. If the incoming HTTP request meets a specific pattern, it decodes the data in the request.
Basically what theyre doing is that they are abusing a feature. Thats how Windows Web servers work, Ventura says, before adding that I have not seen this kind of abuse being done to build implants before.
To add to the stealth, the URL patterns in question often conform to popular, traditional software products. For example, Ventura says, even if an analyst is looking at the URLs, it will seem like its
regular Outlook webmail.
They will have to pay attention, unless they know exactly what theyre looking for.
That data decoded from the HTTP requests will, naturally, be malicious shellcode, which then gets executed on the infected device.
In May, the ShroudedSnoop attackers developed an upgrade to HTTPSnoop, PipeSnoop. Like its brother, it aims to enable arbitrary shellcode to run on the target endpoint, but by reading from and writing to a preexisting pipe — a section of shared memory used for inter-process communication (IPC).
To further elude prying eyes, it should be noted, both Snoops come packaged in executable files mimicking
Palo Alto Networks Cortex XDR application
.
That the already stealth-laden HTTPSnoop is being further upgraded only serves to demonstrate just how difficult it would be for telecoms to identify and excise these backdoors.
Of course victims can search for it. They can check which URLs are registered within the Web server, and try to see which callbacks are being called, and which DLLs are associated with those callbacks. But then again, thats forensic work, which is not that easy to actually perform on live production systems, Ventura explains.
So Id say that prevention is a really, really key factor on this, he concludes. Rather than trying to defeat the backdoors themselves, because there is a certain level of privilege that is needed to do this, companies could use the tools that they have in place to detect the previous steps before the malware being implanted, because they require high privileges.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
ShroudedSnooper Backdoors Use Ultra-Stealth in Mideast Telecom Attacks