216.73.217.22

Analysis of an incident involving a web shell used as a backdoor

· Published 28/02/2025 14:30 · Modified 03/03/2025 16:00

Export JSON

Essential information

Published
28/02/2025 14:30
Modified
03/03/2025 16:00
Tags
2025-02-28 badpotato behinder godpotato memory-based threats potato tools privilege-escalation southeast asia sweetpotato web shell
Related entities
12 techniques (mitre), 4 malware, 1 others

Description

A SOC investigation uncovered a attack on a government SharePoint server in . The attackers used certutil to download an ASPX payload disguised as a 404 page, then employed for privilege escalation. Analysis revealed the to be , a modular backdoor with encrypted communication capabilities. The incident highlights the importance of memory-based threat detection and continuous learning for SOC teams. A YARA rule was developed to identify similar payloads, and indicators of compromise were provided.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Techniques (MITRE) (12)

Malware (4)

  • SweetPotato
    Family
    Published 05/06/2026 18:07 · Modified 05/06/2026 18:07
  • Behinder
    Family
    Published 14/05/2026 20:10 · Modified 14/05/2026 20:10
  • GodPotato
    Family
    Published 05/05/2026 19:00 · Modified 05/05/2026 19:00
  • BadPotato
    Family
    Published 05/06/2026 18:07 · Modified 05/06/2026 18:07

Others (1)

  • Government

External references