A never-before-seen backdoor, dubbed Msupedge, is targeting victims in Taiwan and uses a unique communication technique.

After Symantec researchers discovered the malware used in an attack on a Taiwanese university, they determined that the malware communicates with the command-and-control (C2) server via DNS traffic, a known but rarely seen technique. according to a blog post from Symantec this week.

The backdoor comes in the form of a Dynamic Link Library (DLL), which is installed in two file paths:

The backdoor then waits to receive commands via DNS traffic and uses the resolved IP address of the C2 server as the first command.

Researchers believe the initial breach may have occurred via an exploit of a recently patched PHP vulnerability known as CVE-2024-4577The bug is a CGI argument injection flaw that affects all versions of PHP installed on unpatched Windows instances. If successful, exploitation of the bug could lead to remote code execution (RCE).

The researchers said they recently discovered several threat actors looking for vulnerable systems, but “have not found any evidence that allows us to attribute (Msupedge), and the motive behind the attack remains unknown.”