New Buterat Backdoor Malware Found in Enterprise and Government Networks

Cybersecurity researchers at Point Wild’s Lat61 Threat Intelligence Team have released new findings on a highly malware operation known as Backdoor.Win32.Buterat. The program is designed for long-term infection, enabling attackers to breach networks, steal sensitive information, and drop additional malicious tools.

Once infecting a targeted device, often through a phishing email or a fake malicious download, it hides inside normal system processes and makes changes to registry keys to survive reboots and remain in place.

According to researchers, the Buterat backdoor was initially spotted targeting government and enterprise networks. In their blog post shared with Hackread.com ahead of publication, researchers noted that the Buterat backdoor uses advanced process and thread manipulation techniques such as SetThreadContext and ResumeThread to hijack execution flow, avoiding the alerts security systems typically look for.

What’s worse, Buterat is also capable of bypassing the authentication systems most devices rely on. The backdoor communicates with remote command-and-control (C2) servers using encrypted and obfuscated channels, making it extremely difficult to detect through normal network monitoring.

During live testing, researchers observed the malware dropping multiple payloads onto infected systems. Files with names like amhost.exe and bmhost.exe were placed in the Windows user directory, each designed to play a role in maintaining control and increasing the capabilities of attackers behind the operation.

This was followed by attempts to contact a C2 server hosted at ginomp3.mooo.com, which acts as the remote control hub for exfiltration and additional command execution.

Dr. Zulfikar Ramzan, CTO of Point Wild, summed it up with a warning: “Buterat speaks softly, but carries a big stick. This backdoor hijacks legitimate threads, blends in as a normal process, and quietly phones home.”

So what can companies do to protect their systems against Buterat? Experts recommend using endpoint protection, behavioural analysis tools, and network monitoring, especially to identify suspicious domains like the one associated with the Buterat backdoor.

Employee training and common sense are also key factors in fighting off malware and phishing attacks. Since phishing emails and malicious attachments remain common delivery methods, employee training on spotting suspicious messages is necessary. Avoiding trojanised software downloads from unverified sources is another step to limit exposure.