GhostContainer Backdoor Attacks Microsoft Exchange Servers

Researchers at Kaspersky Lab have uncovered a sophisticated new malware strain named GhostContainer, which leverages open-source tools to target Microsoft Exchange servers. Believed to be part of an advanced cyber espionage campaign, the backdoor appears to focus on high-value organizations in Asia—particularly those in government and high-tech sectors.

Discovery and Technical Details

GhostContainer was first identified during an incident response involving compromised Exchange infrastructure within the public sector. Investigators analyzed a suspicious file named App_Web_Container_1.dll, which turned out to be a multi-functional backdoor built using components from several open-source projects.

One of GhostContainer’s core features is modularity—it can dynamically load and execute additional payloads, extending its capabilities as needed. Once embedded within the system, it grants attackers full remote control over the compromised Exchange server.

Stealth and Persistence

The malware is engineered for stealth. It mimics legitimate server components to avoid detection and maintain long-term access. By blending in with Exchange's normal operations, GhostContainer can operate unnoticed for extended periods.

In addition to espionage, the malware can also be configured to function as a proxy or tunnel, effectively turning the infected server into a gateway for further intrusion. This tactic puts the entire corporate network at risk, opening paths for exfiltration of confidential data or lateral movement.

Expert Commentary

Sergey Lozhkin, Head of the Global Research and Analysis Team (GReAT) for the APAC and META regions at Kaspersky, noted:

“Our research shows the attackers are highly skilled. They understand Microsoft Exchange internals and are capable of building powerful espionage tools from open-source code. While initial activity has been observed in Asia, there’s a real possibility that GhostContainer could surface in other regions. We are still analyzing attribution data and have not yet linked it to any known threat actor, but the investigation continues.”

Key Takeaways

• GhostContainer is a modular backdoor targeting Microsoft Exchange servers.
• Built from open-source components, it can dynamically expand its capabilities.
• It masquerades as a legitimate Exchange component to avoid detection.
• Functions include full server control, proxy/tunnel operations, and stealth persistence.
• Initial targets appear to be large Asian organizations, suggesting a likely focus on cyber espionage.