216.73.216.197

Komari Red: The Monitoring Tool with a Built-in Reverse Shell

· Published 30/04/2026 02:12 · Modified 30/04/2026 07:47

Export JSON

Essential information

Published
30/04/2026 02:12
Modified
30/04/2026 07:47
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
credential-theft github-infrastructure impacket komari nssm-persistence rdp-enablement reverse-shell sslvpn-compromise
Tags
2026-04-30 credential-theft github-infrastructure impacket komari nssm-persistence rdp-enablement reverse shell sslvpn-compromise
Related entities
2 indicators, 2 observables, 19 techniques (mitre), 1 malware

Description

On April 16, 2026, a threat actor leveraged stolen VPN credentials to access a Windows workstation and deployed a SYSTEM-level backdoor using the agent, an open-source monitoring tool with built-in command-and-control capabilities. The attacker authenticated through an SSLVPN session from IP 45.153.34[.]132 and used smbexec.py to enable RDP on the target system. The agent was installed as a persistent Windows service named 'Windows Update Service' using NSSM, pulling the installer directly from the official GitHub repository. provides bidirectional control through WebSocket connections, offering arbitrary command execution, interactive access, and network probing capabilities by default. Microsoft Defender quarantined an earlier registry dump attempt, forcing the adversary to pivot to this GitHub-based approach. This represents the first publicly documented case of being abused in a real-world intrusion.

External references