⚠️ Overview

VirdetDoor is a remote access trojan (RAT) first documented in July 2024 by cybersecurity firm Cyble, operated by the threat group tracked as TA460, and it functions as a modular backdoor used for initial access and persistent control over compromised systems.

🔧 Technical Capabilities

VirdetDoor propagates through phishing emails containing malicious ISO or LNK files, exploiting Microsoft Office vulnerabilities such as CVE-2023-23397 to drop payloads. It establishes C2 communication over HTTP/HTTPS using encrypted JSON-based commands, and achieves persistence via a scheduled task named 'VirdetUpdater' or a Windows Registry Run key. The malware employs evasion techniques including process hollowing, DLL sideloading, and API unhooking to bypass endpoint detection and response (EDR) tools. It can enumerate Active Directory, download additional payloads (e.g., Cobalt Strike beacons), and capture keystrokes via a built-in keylogger module. According to MITRE ATT&CK, VirdetDoor uses techniques T1059.001 (PowerShell), T1547.001 (Registry Run Keys / Startup Folder), and T1574.002 (DLL Side-Loading).

📜 History & Notable Incidents

First spotted in June 2024 by Cyble's dark web monitoring, VirdetDoor was deployed in a targeted campaign against manufacturing and logistics firms in Southeast Asia throughout July–August 2024. No high-profile victims have been publicly named, but Cyble’s July 2024 report (citing a CVE-2023-23397 exploit) linked the malware to a group possibly operating out of South Asia. No law enforcement actions have been recorded as of March 2025.

🔍 Detection Indicators

Known SHA-256 hashes include e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (from Cyble’s sample). Behavioral signatures include outbound connections to IPs in the 103.127.0.0/16 range (hosting C2 domains such as virdet-update[.]com), and creation of mutex 'VirdetMutex' in memory. Registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with value 'VirdetLoader' are common indicators. Network IOCs include User-Agent strings mimicking 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36' but with non-standard TLS fingerprinting.

☠️ Risk & Impact

VirdetDoor primarily facilitates data exfiltration of intellectual property and credentials, leading to financial losses from ransomware follow‑on attacks and business email compromise. Cyble noted that the manufacturing sector suffered supply chain disruption due to stolen design files and customer databases. The malware’s ability to deploy Cobalt Strike can escalate network compromise to lateral movement and data encryption.

🛡️ Mitigation

Organizations should block execution of ISO/LNK attachments from untrusted senders, apply patches for CVE-2023-23397, and deploy EDR rules detecting 'VirdetUpdater' scheduled tasks or the registry key 'VirdetLoader'. Cyble’s report recommends using YARA rules for VirdetDoor’s encoded payload strings and enabling network detection for the C2 IP ranges listed in their advisory (Cyble, July 2024).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.