ShadowRelay: New Modular Backdoor in the Public Sector
Essential information
- Published
- 23/01/2026 10:10
- Modified
- 23/01/2026 11:03
- Tags
- 2026-01-23 CVE-2021-31207 CVE-2021-34473 CVE-2021-34523 apt backdoor donnect espionage exchange government modular mythic agent packet injection shadowpad shadowpad light shadowrelay
- Related entities
- 3 vulnerabilities (cve), 5 observables, 1 intrusion sets (apt), 11 techniques (mitre), 6 malware, 1 others
Description
A new modular backdoor called ShadowRelay was discovered on a compromised Exchange server in a government organization. The backdoor allows loading different plugins and demonstrates sophisticated design indicative of well-prepared attackers. It uses packet injection to hide network activity and can spy covertly in protected network segments by communicating through infected machines. The backdoor can inject itself into other processes and uses plugins to load additional functionality, allowing it to evade detection. These capabilities suggest the attackers aim for long-term covert presence and espionage, typical of state-sponsored APT groups. The backdoor was found alongside tools from other known threat actors, complicating attribution.