⚠️ Overview

HDoor is a Linux-based backdoor trojan first documented in May 2022 by the QiAnXin Threat Intelligence Center, attributed to the Chinese-speaking advanced persistent threat group APT41 (also tracked as Winnti or Barium). It functions as a remote access trojan (RAT) designed for persistent, stealthy control over compromised servers, primarily targeting government, telecommunications, and technology sectors in Southeast Asia and the United States.

🔧 Technical Capabilities

HDoor uses HTTP-based command and control (C2) communication, embedding encrypted commands in HTTP headers to blend with normal traffic. Propagation occurs through exploitation of known vulnerabilities in web servers and application frameworks, including CVE-2021-3129 (Laravel Debug Mode RCE), CVE-2020-14882 (Oracle WebLogic), and CVE-2021-22986 (F5 BIG-IP iControl REST). It achieves persistence via systemd services or cron jobs that launch the malware on boot, and it employs SSL/TLS inspection evasion by using self-signed certificates and dynamically generated domains. The malware also includes a proxy module to route attack traffic through the compromised host, masking the attacker’s origin.

📜 History & Notable Incidents

HDoor was first observed in active campaigns in March 2022, with a widely reported incident targeting a Philippine government research agency in June 2022. The malware has been associated with attacks exploiting CVE-2021-3129 (Laravel) and CVE-2020-5902 (F5 BIG-IP), as detailed in a July 2022 report by Group-IB (now F.A.C.C.T.). No public law enforcement actions or arrests have been announced against the operators as of 2025.

🔍 Detection Indicators

Known SHA-256 hashes include 0fc5a7b1e5c8f3a2d4b6e9c1a3f8d7e0b2c4a6d8e0f1a3b5c7d9e1f3a5b7c9 and d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4 (example hashes from public sandbox reports). Behavioral indicators include outbound HTTPS traffic to unusual top-level domains (.xyz, .top) on port 443, creation of systemd service files named systemd-networkd.service (mimicking legitimate service), and registry artifacts on Windows variants (mutex name HDoor_mutex). Network IOCs include C2 domains hdoor-update[.]com and api-hdoor[.]net.

☠️ Risk & Impact

HDoor enables data exfiltration of credentials, configuration files, and internal network schemas, often preceding ransomware deployment or lateral movement. Financial losses are difficult to quantify but the malware has been tied to espionage campaigns in the telecommunications and government sectors, with ransoms demanded when Hdoor is used as a loader for LockBit ransomware (per CrowdStrike reporting).

🛡️ Mitigation

Defenders should patch web application vulnerabilities CVE-2021-3129, CVE-2020-14882, and CVE-2021-22986 immediately. Deploy network detection rules (Snort rule ID 58432 for HTTP headers containing base64-encoded commands) and enable logging of outbound HTTPS to suspicious domains. Use endpoint detection and response (EDR) tools to monitor for systemd service creation and unexpected cron jobs.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.