Shadow Scripts: xHunt’s Stealthy Backdoors Breach Middle East Networks
A new wave of cyber-espionage exploits Microsoft Exchange and IIS servers, evading detection with custom PowerShell implants.
On a quiet Tuesday morning, a shipping company in Kuwait discovered something unsettling: encrypted messages were being exchanged within their own email drafts folder. It wasn’t a clumsy prank - this was the work of xHunt, a cyber-espionage collective that has quietly haunted Middle Eastern networks since 2018. Their latest campaign leverages a toolkit of custom PowerShell backdoors, slipping through digital cracks in Microsoft Exchange and IIS web servers to steal secrets and remain dangerously invisible.
The Anatomy of an Espionage Operation
xHunt’s operations are far from amateur. Their arsenal - named after anime characters like Hisoka and Netero - demonstrates a high level of sophistication and an intimate understanding of Windows enterprise environments. The PowerShell-based TriFive and Snugy backdoors are deployed as scheduled tasks, running quietly every few minutes. By bypassing standard execution policies, these scripts evade most endpoint security tools, allowing attackers to maintain persistent access for months.
One of xHunt’s most innovative tactics is abusing Microsoft Exchange’s Web Services (EWS). Instead of noisy network traffic, their TriFive backdoor hides encrypted, base64-obfuscated commands in the victim’s email Drafts or Deleted Items folders. The infected server executes these commands and replies with another encoded message - blending seamlessly with legitimate email activity and making detection nearly impossible.
To move laterally, xHunt establishes SSH tunnels using PuTTY’s Plink utility, linking infected Exchange servers to hidden BumbleBee webshells on internal IIS servers. This gives them remote access to sensitive internal services, including RDP and web applications shielded from the open internet. In a further twist, watering-hole attacks on government websites silently harvest visitors’ NTLMv2 password hashes, which are then used to attempt further penetrations across the network.
The group’s tradecraft extends to clever camouflage: scheduled tasks are disguised with names like “ResolutionHosts,” and VPNs with ever-changing European IPs obscure their tracks. Registry tweaks expose plaintext credentials in server memory, giving attackers a direct line to sensitive data.
Defending Against the Shadows
Security experts warn that xHunt’s tactics are a wake-up call for organizations relying on Exchange and IIS. Threat emulation platforms, such as Picus Security, now simulate xHunt’s techniques, urging defenders to test and reinforce their security posture before the next silent breach takes hold.
