New YiBackdoor Allows Attackers to Execute Arbitrary Commands and Exfiltrate Sensitive Data from Hacked Systems

A sophisticated new malware family dubbed YiBackdoor has emerged in the cybersecurity landscape, posing a significant threat to organizations worldwide.

First observed in June 2025, this malicious software represents a concerning evolution in backdoor technology, featuring advanced capabilities that enable threat actors to execute arbitrary commands, capture screenshots, collect sensitive system information, and deploy additional malicious plugins on compromised hosts.

The malware’s architecture demonstrates significant code overlaps with established threats IcedID and Latrodectus, suggesting potential collaboration between threat actor groups or shared development resources.

Similar to notorious banking trojans like Zloader and Qakbot, IcedID was originally designed for facilitating financial fraud but has since evolved into a primary tool for providing initial access to ransomware operators.

YiBackdoor appears to follow this same trajectory, potentially serving as a gateway for more destructive cyberattacks.

Zscaler analysts identified YiBackdoor through comprehensive threat hunting activities and noted its sophisticated anti-analysis capabilities designed to evade detection by security researchers and automated sandbox environments.

The malware demonstrates advanced virtual environment detection techniques, including hypervisor identification for VMware, Xen, KVM, VirtualBox, Microsoft Hyper-V, and Parallels systems.

The malware’s limited deployment patterns suggest it may currently be in a development or testing phase, according to security researchers.

However, its advanced capabilities and connection to established malware families indicate that broader deployment campaigns could emerge as development progresses.

The threat actor’s use of local IP addresses in configuration files further supports the assessment that YiBackdoor remains in active development.

Code Injection and Persistence Mechanisms

YiBackdoor employs a sophisticated process injection technique that sets it apart from conventional malware families.

The malware utilizes a unique approach to achieve code execution within legitimate system processes, specifically targeting svchost.exe for its injection operations.

During the initialization phase, YiBackdoor performs a critical check to determine whether it is already running within an injected process by examining its current memory address against loaded DLL ranges.

If the malware detects it is not yet injected, it creates a new svchost.exe process and begins the injection sequence.

The malware allocates memory within the target process and copies its malicious code into the newly created memory region.

The most notable aspect of YiBackdoor’s injection technique involves patching the Windows API function RtlExitUserProcess with custom assembly code.

This patch redirects execution flow to YiBackdoor’s entry point when the function is called, effectively hijacking the process termination sequence.

The following code demonstrates the hypervisor detection mechanism used by the malware:-

[[nodiscard]] bool isHyperVisor()
{
   uint64_t timer1 = 0;
   uint64_t timer2 = 0;
   int loop_counter = 16;
   int cpuInfo[4] = { 0 };
   while (loop_counter)
   {
       SwitchToThread();
       uint64_t first_rdtsc_timer_value = __rdtsc();
       __cpuid(cpuInfo, 1);
       timer1 += __rdtsc() - first_rdtsc_timer_value;
       SwitchToThread();
       uint64_t second_rdtsc = __rdtsc();
       uint64_t third_rdtsc = __rdtsc();
       timer2 += ((third_rdtsc - second_rdtsc));
       loop_counter--;
   }
   return (timer1 > 20);
}

Persistence establishment occurs through Windows Registry manipulation, where YiBackdoor copies itself to a randomly named directory and creates registry entries using regsvr32.exe for automatic execution upon system startup.

The malware generates pseudo-random values for registry key names using Microsoft’s Linear Congruential Generator algorithm, making detection through static signatures more challenging for security products.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.