{"id":47349,"date":"2022-07-01T14:34:54","date_gmt":"2022-07-01T14:34:54","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/33596\/Microsoft-Exchange-Servers-Worldwide-Hit-By-Stealthy-New-Backdoor.html"},"modified":"2022-07-01T14:34:54","modified_gmt":"2022-07-01T14:34:54","slug":"microsoft-exchange-servers-worldwide-hit-by-stealthy-new-backdoor","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/microsoft-exchange-servers-worldwide-hit-by-stealthy-new-backdoor\/","title":{"rendered":"Microsoft Exchange Servers Worldwide Hit By Stealthy New Backdoor"},"content":{"rendered":"<figure class=\"intro-image intro-left\"> <img decoding=\"async\" src=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2022\/05\/cloud-computing-800x534.jpeg\" alt=\"Microsoft Exchange servers worldwide hit by stealthy new backdoor\"><figcaption class=\"caption\">\n<div class=\"caption-credit\">Getty Images<\/div>\n<\/figcaption><\/figure>\n<aside id=\"social-left\" class=\"social-left\" aria-label=\"Read the comments or share this article\"> <a title=\"28 posters participating\" class=\"comment-count icon-comment-bubble-down\" href=\"https:\/\/arstechnica.com\/information-technology\/2022\/06\/microsoft-exchange-servers-worldwide-hit-by-stealthy-new-backdoor\/?comments=1\"> <\/p>\n<h4 class=\"comment-count-before\">reader comments<\/h4>\n<p> <span class=\"comment-count-number\">33<\/span> <span class=\"visually-hidden\"> with 28 posters participating<\/span> <\/a> <\/p>\n<div class=\"share-links\">\n<h4>Share this story<\/h4>\n<\/p><\/div>\n<\/aside>\n<p> <!-- cache hit 129:single\/related:b8493cefa10745c0e3871485d5e08dd8 --><!-- empty --><\/p>\n<p>Researchers have identified stealthy new malware that threat actors have been using for the past 15 months to backdoor Microsoft Exchange servers after they have been hacked.<\/p>\n<p>Dubbed SessionManager, the malicious software poses as a legitimate module for Internet Information Services (IIS), the web server installed by default on Exchange servers. Organizations often deploy IIS modules to streamline specific processes on their web infrastructure. Researchers from security firm Kaspersky have identified 34 servers belonging to 24 organizations that have been infected with SessionManager since March 2021. As of earlier this month, <a href=\"https:\/\/securelist.com\/the-sessionmanager-iis-backdoor\/106868\/\">Kaspersky said<\/a>, 20 organizations remained infected.<\/p>\n<h2>Stealth, persistence, power<\/h2>\n<p>Malicious IIS modules offer an ideal means to deploy powerful, persistent, and stealthy backdoors. Once installed, they will respond to specifically crafted HTTP requests sent by the operator instructing the server to collect emails, add further malicious access, or use the compromised servers for clandestine purposes. To the untrained eye, the HTTP requests look unremarkable, even though they give the operator complete control over the machine.<\/p>\n<p>\u201cSuch malicious modules usually expect seemingly legitimate but specifically crafted HTTP requests from their operators, trigger actions based on the operators\u2019 hidden instructions if any, then transparently pass the request to the server for it to be processed just like any other request,\u201d Kaspersky researcher Pierre Delcher wrote. \u201cAs a result, such modules are not easily spotted by usual monitoring practices: they do not necessarily initiate suspicious communications to external servers, receive commands through HTTP requests to a server that is specifically exposed to such processes, and their files are often placed in overlooked locations that contain a lot of other legitimate files.\u201d<\/p>\n<aside class=\"ad_wrapper\" aria-label=\"In Content advertisement\"> <span class=\"ad_notice\">Advertisement <\/span> <\/aside>\n<figure class=\"image shortcode-img center large\"><a href=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2022\/06\/sessionmanager-request-process.png\" class=\"enlarge\" data-height=\"576\" data-width=\"1024\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2022\/06\/sessionmanager-request-process-640x360.png\" width=\"640\" height=\"360\" srcset=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2022\/06\/sessionmanager-request-process.png 2x\"><\/a><figcaption class=\"caption\"><\/figcaption><\/figure>\n<p>Once SessionManager is deployed, operators use it to profile the infected environment further, gather passwords stored in memory, and install additional tools, including a <a href=\"https:\/\/github.com\/PowerShellMafia\/PowerSploit\/blob\/master\/CodeExecution\/Invoke-ReflectivePEInjection.ps1\">PowerSploit-based reflective loader<\/a>, <a href=\"https:\/\/github.com\/jas502n\/mimikat_ssp\">Mimikat SSP<\/a>, <a href=\"https:\/\/docs.microsoft.com\/en-us\/sysinternals\/downloads\/procdump\">ProcDump<\/a>, and a legitimate Avast memory dump tool. Kaspersky obtained multiple SessionManager variants that date back to at least March 2021. The samples show a steady evolution that has added more features with each new version. The most recent version of the malicious module includes the following:<\/p>\n<blockquote>\n<table width=\"100%\">\n<tbody>\n<tr>\n<td width=\"20%\"><strong>Command name<\/strong><br \/><strong>(SM_SESSION cookie value)<\/strong><\/td>\n<td width=\"40%\"><strong>Command parameters<br \/>(additional cookies)<\/strong><\/td>\n<td width=\"40%\"><strong>Associated capability<\/strong><\/td>\n<\/tr>\n<tr>\n<td>GETFILE<\/td>\n<td>FILEPATH: path of file to be read. FILEPOS1: offset at which to start reading, from file start.<\/p>\n<p>FILEPOS2: maximum number of bytes to read.<\/p>\n<\/td>\n<td>Read the content of a file on the compromised server and send it to the operator as an HTTP binary file named cool.rar.<\/td>\n<\/tr>\n<tr>\n<td>PUTFILE<\/td>\n<td>FILEPATH: path of file to be written.<\/p>\n<p>FILEPOS1: offset at which to start writing.<\/p>\n<p>FILEPOS2: offset reference.<\/p>\n<p>FILEMODE: requested file access type.<\/p>\n<\/td>\n<td>Write arbitrary content to a file on the compromised server. The data to be written in the specified file is passed within the HTTP request body.<\/td>\n<\/tr>\n<tr>\n<td>DELETEFILE<\/td>\n<td>FILEPATH: path of file to be deleted.<\/td>\n<td>Delete a file on the compromised server.<\/td>\n<\/tr>\n<tr>\n<td>FILESIZE<\/td>\n<td>FILEPATH: path of file to be measured.<\/td>\n<td>Get the size (in bytes) of the specified file.<\/td>\n<\/tr>\n<tr>\n<td>CMD<\/td>\n<td>None.<\/td>\n<td>Run an arbitrary process on the compromised server. The process to run and its arguments are specified in the HTTP request body using the format: &lt;executable path&gt;\\t&lt;arguments&gt;. The standard output and error data from process execution are sent back as plain text to the operator in the HTTP response body.<\/td>\n<\/tr>\n<tr>\n<td>PING<\/td>\n<td>None.<\/td>\n<td>Check for SessionManager deployment. The \u201cWokring OK\u201d (<em>sic<\/em>.) message will be sent to the operator in the HTTP response body.<\/td>\n<\/tr>\n<tr>\n<td>S5CONNECT<\/td>\n<td>S5HOST: hostname to connect to (exclusive with S5IP).<\/p>\n<p>S5PORT: offset at which to start writing.<\/p>\n<p>S5IP: IP address to connect to if no hostname is given (exclusive with S5HOST).<\/p>\n<p>S5TIMEOUT: maximum delay in seconds to allow for connection.<\/p>\n<\/td>\n<td>Connect from compromised host to a specified network endpoint, using a created TCP socket. The integer identifier of the created and connected socket will be returned as the value of the S5ID cookie variable in the HTTP response, and the status of the connection will be reported in the HTTP response body.<\/td>\n<\/tr>\n<tr>\n<td>S5WRITE<\/td>\n<td>S5ID: identifier of the socket to write to, as returned by S5CONNECT.<\/td>\n<td>Write data to the specified connected socket. The data to be written in the specified socket is passed within the HTTP request body.<\/td>\n<\/tr>\n<tr>\n<td>S5READ<\/td>\n<td>S5ID: identifier of the socket to read from, as returned by S5CONNECT.<\/td>\n<td>Read data from the specified connected socket. The read data is sent back within the HTTP response body.<\/td>\n<\/tr>\n<tr>\n<td>S5CLOSE<\/td>\n<td>S5ID: identifier of the socket to close, as returned by S5CONNECT.<\/td>\n<td>Terminate an existing socket connection. The status of the operation is returned as a message within the HTTP response body.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/blockquote>\n<h2>Remember ProxyLogon?<\/h2>\n<p>SessionManager gets installed after threat actors have exploited vulnerabilities known as <a href=\"https:\/\/arstechnica.com\/gadgets\/2021\/03\/security-unicorn-exchange-server-0-days-were-exploited-by-6-apts\/\">ProxyLogon<\/a> within Microsoft Exchange servers. Kaspersky has found it infecting NGOs, governments, militaries, and industrial organizations in Africa, South America, Asia, and Europe.<\/p>\n<figure class=\"image shortcode-img center large\"><a href=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2022\/06\/sessionmanager-map.png\" class=\"enlarge\" data-height=\"1200\" data-width=\"1406\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2022\/06\/sessionmanager-map-640x546.png\" width=\"640\" height=\"546\" srcset=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2022\/06\/sessionmanager-map-1280x1092.png 2x\"><\/a><figcaption class=\"caption\"><\/figcaption><\/figure>\n<p>Kaspersky said it has medium-to-high confidence that a previously identified threat actor that researchers call Gelsemium has been deploying SessionManager. Security firm ESET published a <a href=\"https:\/\/www.welivesecurity.com\/wp-content\/uploads\/2021\/06\/eset_gelsemium.pdf\">deep dive on the group<\/a> (PDF) last year. Kaspersky\u2019s attribution is based on the overlap of code used by the two groups and victims targeted.<\/p>\n<p>Disinfecting servers that have been hit by SessionManager or similar malicious IIS modules is a complicated process. Kaspersky\u2019s post contains indicators that organizations can use to determine if they\u2019ve been infected and steps they should take in the event they\u2019ve been infected.<\/p>\n<p> READ MORE <a href=\"https:\/\/packetstormsecurity.com\/news\/view\/33596\/Microsoft-Exchange-Servers-Worldwide-Hit-By-Stealthy-New-Backdoor.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":47350,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[277],"tags":[10082],"class_list":["post-47349","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity-blogs","tag-headlinehackerprivacymicrosoftemaildata-lossbackdoor"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Microsoft Exchange Servers Worldwide Hit By Stealthy New Backdoor 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/microsoft-exchange-servers-worldwide-hit-by-stealthy-new-backdoor\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Microsoft Exchange Servers Worldwide Hit By Stealthy New Backdoor 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/microsoft-exchange-servers-worldwide-hit-by-stealthy-new-backdoor\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2022-07-01T14:34:54+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2022\/05\/cloud-computing-800x534.jpeg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/microsoft-exchange-servers-worldwide-hit-by-stealthy-new-backdoor\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/microsoft-exchange-servers-worldwide-hit-by-stealthy-new-backdoor\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Microsoft Exchange Servers Worldwide Hit By Stealthy New Backdoor\",\"datePublished\":\"2022-07-01T14:34:54+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/microsoft-exchange-servers-worldwide-hit-by-stealthy-new-backdoor\\\/\"},\"wordCount\":923,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/microsoft-exchange-servers-worldwide-hit-by-stealthy-new-backdoor\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/07\\\/microsoft-exchange-servers-worldwide-hit-by-stealthy-new-backdoor.jpg\",\"keywords\":[\"headline,hacker,privacy,microsoft,email,data loss,backdoor\"],\"articleSection\":[\"CyberSecurity Blogs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/microsoft-exchange-servers-worldwide-hit-by-stealthy-new-backdoor\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/microsoft-exchange-servers-worldwide-hit-by-stealthy-new-backdoor\\\/\",\"name\":\"Microsoft Exchange Servers Worldwide Hit By Stealthy New Backdoor 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/microsoft-exchange-servers-worldwide-hit-by-stealthy-new-backdoor\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/microsoft-exchange-servers-worldwide-hit-by-stealthy-new-backdoor\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/07\\\/microsoft-exchange-servers-worldwide-hit-by-stealthy-new-backdoor.jpg\",\"datePublished\":\"2022-07-01T14:34:54+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/microsoft-exchange-servers-worldwide-hit-by-stealthy-new-backdoor\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/microsoft-exchange-servers-worldwide-hit-by-stealthy-new-backdoor\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/microsoft-exchange-servers-worldwide-hit-by-stealthy-new-backdoor\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/07\\\/microsoft-exchange-servers-worldwide-hit-by-stealthy-new-backdoor.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/07\\\/microsoft-exchange-servers-worldwide-hit-by-stealthy-new-backdoor.jpg\",\"width\":800,\"height\":534},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/microsoft-exchange-servers-worldwide-hit-by-stealthy-new-backdoor\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"headline,hacker,privacy,microsoft,email,data loss,backdoor\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/headlinehackerprivacymicrosoftemaildata-lossbackdoor\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Microsoft Exchange Servers Worldwide Hit By Stealthy New Backdoor\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Microsoft Exchange Servers Worldwide Hit By Stealthy New Backdoor 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/microsoft-exchange-servers-worldwide-hit-by-stealthy-new-backdoor\/","og_locale":"en_US","og_type":"article","og_title":"Microsoft Exchange Servers Worldwide Hit By Stealthy New Backdoor 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/microsoft-exchange-servers-worldwide-hit-by-stealthy-new-backdoor\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2022-07-01T14:34:54+00:00","og_image":[{"url":"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2022\/05\/cloud-computing-800x534.jpeg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/microsoft-exchange-servers-worldwide-hit-by-stealthy-new-backdoor\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/microsoft-exchange-servers-worldwide-hit-by-stealthy-new-backdoor\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Microsoft Exchange Servers Worldwide Hit By Stealthy New Backdoor","datePublished":"2022-07-01T14:34:54+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/microsoft-exchange-servers-worldwide-hit-by-stealthy-new-backdoor\/"},"wordCount":923,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/microsoft-exchange-servers-worldwide-hit-by-stealthy-new-backdoor\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/07\/microsoft-exchange-servers-worldwide-hit-by-stealthy-new-backdoor.jpg","keywords":["headline,hacker,privacy,microsoft,email,data loss,backdoor"],"articleSection":["CyberSecurity Blogs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/microsoft-exchange-servers-worldwide-hit-by-stealthy-new-backdoor\/","url":"https:\/\/www.threatshub.org\/blog\/microsoft-exchange-servers-worldwide-hit-by-stealthy-new-backdoor\/","name":"Microsoft Exchange Servers Worldwide Hit By Stealthy New Backdoor 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/microsoft-exchange-servers-worldwide-hit-by-stealthy-new-backdoor\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/microsoft-exchange-servers-worldwide-hit-by-stealthy-new-backdoor\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/07\/microsoft-exchange-servers-worldwide-hit-by-stealthy-new-backdoor.jpg","datePublished":"2022-07-01T14:34:54+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/microsoft-exchange-servers-worldwide-hit-by-stealthy-new-backdoor\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/microsoft-exchange-servers-worldwide-hit-by-stealthy-new-backdoor\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/microsoft-exchange-servers-worldwide-hit-by-stealthy-new-backdoor\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/07\/microsoft-exchange-servers-worldwide-hit-by-stealthy-new-backdoor.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/07\/microsoft-exchange-servers-worldwide-hit-by-stealthy-new-backdoor.jpg","width":800,"height":534},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/microsoft-exchange-servers-worldwide-hit-by-stealthy-new-backdoor\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"headline,hacker,privacy,microsoft,email,data loss,backdoor","item":"https:\/\/www.threatshub.org\/blog\/tag\/headlinehackerprivacymicrosoftemaildata-lossbackdoor\/"},{"@type":"ListItem","position":3,"name":"Microsoft Exchange Servers Worldwide Hit By Stealthy New Backdoor"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/47349","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=47349"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/47349\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/47350"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=47349"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=47349"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=47349"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}