{
	"id": "08ce0415-053c-4548-9290-9690fac3006a",
	"created_at": "2026-04-06T00:20:06.576787Z",
	"updated_at": "2026-04-10T13:12:36.808201Z",
	"deleted_at": null,
	"sha1_hash": "3a85defdd68ea44db0c8f2c991351e6611dd3344",
	"title": "SockDetour – a Silent, Fileless, Socketless Backdoor – Targets U.S. Defense Contractors",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 249348,
	"plain_text": "SockDetour – a Silent, Fileless, Socketless Backdoor – Targets U.S.\r\nDefense Contractors\r\nBy Unit 42\r\nPublished: 2022-02-24 · Archived: 2026-04-05 12:39:04 UTC\r\nExecutive Summary\r\nUnit 42 has been tracking an APT campaign we name TiltedTemple, which we first identified in connection with its use of\r\nthe Zoho ManageEngine ADSelfService Plus vulnerability CVE-2021-40539 and ServiceDesk Plus vulnerability CVE-2021-44077. The threat actors involved use a variety of techniques to gain access to and persistence in compromised\r\nsystems and have successfully compromised more than a dozen organizations across the technology, energy, healthcare,\r\neducation, finance and defense industries. In conducting further analysis of this campaign, we identified another\r\nsophisticated tool being used to maintain persistence, which we call SockDetour.\r\nA custom backdoor, SockDetour is designed to serve as a backup backdoor in case the primary one is removed. It is difficult\r\nto detect, since it operates filelessly and socketlessly on compromised Windows servers. One of the command and control\r\n(C2) infrastructures that the threat actor used for malware distribution for the TiltedTemple campaign hosted SockDetour\r\nalong with other miscellaneous tools such as a memory dumping tool and several webshells. We are tracking SockDetour as\r\none campaign within TiltedTemple, but cannot yet say definitively whether the activities stem from a single or multiple\r\nthreat actors.\r\nBased on Unit 42’s telemetry data and the analysis of the collected samples, we believe the threat actor behind SockDetour\r\nhas been focused on targeting U.S.-based defense contractors using the tools. Unit 42 has evidence of at least four defense\r\ncontractors being targeted by this campaign, with a compromise of at least one contractor.\r\nUnit 42 also believes it is possible that SockDetour has been in the wild since at least July 2019. We did not find any\r\nadditional SockDetour samples on public repositories, meaning that the backdoor successfully stayed under the radar for a\r\nlong time.\r\nFull visualization of the techniques observed, relevant courses of action and indicators of compromise (IoCs) related to this\r\nreport can be found in the Unit 42 ATOM viewer.\r\nPalo Alto Networks customers are protected from the threats described in this blog by Cortex XDR and WildFire, and can\r\nuse AutoFocus for tracking related entities. Additionally, the YARA rule we attached at the end of this blog post can be used\r\nto detect SockDetour in memory.\r\nBackground on the TiltedTemple Campaign\r\nTiltedTemple is the name Unit 42 gives to a campaign being conducted by an advanced persistent threat (APT) or APTs,\r\nleveraging a variety of initial access vectors, to compromise a diverse set of targets globally. Our initial publications on\r\nTiltedTemple focused on attacks that occurred through compromised ManageEngine ADSelfService Plus servers and\r\nthrough ManageEngine ServiceDesk Plus.\r\nThe TiltedTemple campaign has compromised organizations across the technology, energy, healthcare, education, finance\r\nand defense industries and conducted reconnaissance activities against these industries and others, including infrastructure\r\nassociated with five U.S. states.\r\nWe found SockDetour hosted on infrastructure associated with TiltedTemple, though we have not yet determined whether\r\nthis is the work of a single threat actor or several.\r\nSockDetour Targets US Defense Industry\r\nWhile the TitledTemple campaign was initially identified as starting in August 2021, we have recently discovered evidence\r\nthat SockDetour was delivered from an external FTP server to a U.S.-based defense contractor’s internet-facing Windows\r\nserver on July 27, 2021.\r\nThe FTP server also hosted other miscellaneous tools used by the threat actor, such as a memory dumping tool and ASP\r\nwebshells.\r\nAfter analyzing and tracking these indicators, we were able to discover that at least three other U.S.-based defense\r\ncontractors were targeted by the same actor.\r\nSockDetour Hosted by Compromised Home and SOHO NAS Server\r\nhttps://unit42.paloaltonetworks.com/sockdetour/\r\nPage 1 of 5\n\nThe FTP server that hosted SockDetour was a compromised Quality Network Appliance Provider (QNAP) small office and\r\nhome office (SOHO) network-attached storage (NAS) server. The NAS server is known to have multiple vulnerabilities,\r\nincluding a remote code execution vulnerability, CVE-2021-28799. This vulnerability was leveraged by various ransomware\r\nfamilies in massive infection campaigns in April 2021. We believe the threat actor behind SockDetour likely also leveraged\r\nthese vulnerabilities to compromise the NAS server. In fact, the NAS server was already infected with QLocker from the\r\nprevious ransomware campaigns.\r\nAnalysis of SockDetour\r\nSockDetour is a custom backdoor compiled in 64-bit PE file format. It is designed to serve as a backup backdoor in case the\r\nprimary one is detected and removed. It works on Windows operating systems that are running services with listening TCP\r\nports. It hijacks network connections made to the pre-existing network socket and establishes an encrypted C2 channel with\r\nthe remote threat actor via the socket. Thus, SockDetour requires neither opening a listening port from which to receive a\r\nconnection nor calling out to an external network to establish a remote C2 channel. This makes the backdoor more difficult\r\nto detect from both host and network level.\r\nIn order for SockDetour to hijack an existing process’s socket, it needs to be injected into the process’s memory. For this\r\nreason, the threat actor converted SockDetour into a shellcode using an open source shellcode generator called Donut\r\nframework, then used the PowerSploit memory injector to inject the shellcode into target processes. The samples we found\r\ncontained hardcoded target processes’ IDs, which means the threat actor manually chose injection target processes from\r\ncompromised servers.\r\nAfter SockDetour is injected into the target process, the backdoor leverages the Microsoft Detours library package, which is\r\ndesigned for the monitoring and instrumentation of API calls on Windows to hijack a network socket. Using the\r\nDetourAttach() function, it attaches a hook to the Winsock accept() function. With the hook in place, when new connections\r\nare made to the service port and the Winsock accept() API function is invoked, the call to the accept() function is re-routed\r\nto the malicious detour function defined in SockDetour.\r\nOther non-C2 traffic is returned to the original service process to ensure the targeted service operates normally without\r\ninterference.\r\nWith such implementation, SockDetour is able to operate filelessly and socketlessly in compromised Windows servers, and\r\nserves as a backup backdoor in case the primary backdoor is detected and removed by defenders.\r\nFigure 1. SockDetour Workflow\r\nClient Authentication and C2 Communication\r\nAs SockDetour hijacks all the connections made to the legitimate service port, it first needs to verify the C2 traffic from\r\nincoming traffic that is mixed with legitimate service traffic, then authenticate to make sure the C2 connection is made from\r\nthe right client.\r\nSockDetour achieves the verification and authentication of the C2 connection with the following steps.\r\n1. First, expect to receive 137 bytes of data from a client for authentication. The authentication data is as shown in the\r\nstructure in Table 1.\r\n17 03 03 AA BB CC DD EE FF 128-byte data block\r\nFixed header value to\r\ndisguise TLS traffic\r\nPayload data\r\nsize\r\nFour-byte variable used for client\r\nauthentication\r\nData signature for client\r\nauthentication data block\r\nTable 1. SockDetour client authentication data structure.\r\nhttps://unit42.paloaltonetworks.com/sockdetour/\r\nPage 2 of 5\n\n2. Read the first nine bytes of data. This data is received using the recv() function with the MSG_PEEK option so that it will\r\nnot interfere with the legitimate service’s traffic by removing data from the socket queue.\r\n3. Verify that the data starts with 17 03 03, which is commonly seen as a record header for TLS transactions when encrypted\r\ndata is being transferred. However, this is abnormal for normal TLS – a TLS-encrypted transaction would not normally\r\nshow up without proper TLS handshakes.\r\nFigure 2. SockDetour receives data with the MSG_PEEK option and verifies the data.\r\n4. Check that the size of payload data AA BB is less than or equal to 251.\r\n5. Check that the four bytes of payload CC DD EE FF satisfy the conditions below:\r\n1. The result is 88 a0 90 82 after bitwise AND with 88 a0 90 82\r\n2. The result is fd f5 fb ef after bitwise OR with fd f5 fb ef\r\n6. Read the whole 137 bytes of data from the same data queue with the MSG_PEEK option for further authentication.\r\n7. Build a 24-byte data block as shown in Table 2.\r\n08 1c c1 78 d4 13 3a d7 0f ab CC DD EE FF b3 a2 b8 ae 63 bb 03 e8 ff 3b\r\n10 bytes hardcoded in\r\nSockDetour\r\nFour bytes received from the client for\r\nauthentication\r\n10 bytes hardcoded in\r\nSockDetour\r\nTable 2. 24-byte data block to be verified for client authentication.\r\n8. This 24-byte data block is hashed and verified using an embedded public key against the 128-byte data signature in Table\r\n1, which the threat actor would have created by signing the hash of the same 24-byte data block using the corresponding\r\nprivate key.\r\nThis completes the client authentication step. After successful authentication, SockDetour takes over the TCP session using\r\nthe recv() function without the MSG_PEEK option as this session is now verified to be for the backdoor.\r\nNext, SockDetour creates a 160-bit session key using a hardcoded initial vector value bvyiafszmkjsmqgl, then sends it to the\r\nremote client using the following data structure.\r\n17 03 03 AA BB CC DD EE FF session_key random_padding\r\nFixed header value to disguise TLS\r\ntraffic\r\nPayload data\r\nsize\r\nSession key\r\nlength\r\n160-bit session\r\nkey\r\nRandom padding\r\nTable 3. SockDetour sending session key to client.\r\nIn common encryption protocols such as TLS, the session key is encrypted with a public key before transferring. However,\r\nin this case, the malware author has seemingly forgotten the step and transfers the key in plain text.\r\nNow with the session key shared between SockDetour and the remote client, the C2 connection is made encrypted over the\r\nhijacked socket.\r\nPlugin Loading Feature\r\nAs a backup backdoor, SockDetour serves only one feature of loading a plugin DLL. After the session key sharing,\r\nSockDetour receives four bytes of data from the client, which indicates the length of data SockDetour will receive for the\r\nfinal payload delivery stage. The size is expected to be smaller or equal to five MB.\r\nThe final payload data received is encrypted using the shared session key. After decryption, the received data is expected to\r\nbe in JSON format with two objects app and args. app contains a base 64-encoded DLL, and args contains an argument to be\r\npassed to the DLL. SockDetour loads this plugin DLL in newly allocated memory space, then calls an export function with\r\nthe name ThreadProc with a function argument in the following JSON structure.\r\nhttps://unit42.paloaltonetworks.com/sockdetour/\r\nPage 3 of 5\n\n{\r\n    \"sock\": hijacked_socket,\r\n    \"key\": session_key,\r\n    \"args\": arguments_received_from_client\r\n}\r\nWhile plugin DLL samples were not discovered, the above function argument suggests that the plugin also likely\r\ncommunicates via the hijacked socket and encrypts the transaction using the session key. Thus, we surmise it operates as\r\nstealthily as SockDetour does.\r\nConclusion\r\nSockDetour is a backdoor that is designed to remain stealthily on compromised Windows servers so that it can serve as a\r\nbackup backdoor in case the primary one fails. It is filelessly loaded in legitimate service processes and uses legitimate\r\nprocesses’ network sockets to establish its own encrypted C2 channel.\r\nWhile it can be easily altered, the compilation timestamp of the SockDetour sample we analyzed suggests that it has likely\r\nbeen in the wild since at least July 2019 without any update to the PE file. Plus, we did not find any additional SockDetour\r\nsamples on public repositories. This suggests that the backdoor successfully stayed under the radar for a long time.\r\nThe plugin DLL remains unknown, but it is also expected to operate very stealthily by being delivered via the SockDetour’s\r\nencrypted channel, being loaded filelessly in memory and communicating via hijacked sockets.\r\nAs an additional note, the type of NAS server that we found hosting SockDetour is typically used by small businesses. This\r\nexample serves as a critical reminder to patch this type of server frequently when fixes are released.\r\nProtections and Mitigations\r\nCortex XDR protects endpoints and accurately identifies the memory injector as malicious. Additionally, Cortex XDR has\r\nseveral detections for lateral movement and credential theft tactics, techniques and procedures (TTPs) employed by this\r\nactor set.\r\nWildFire cloud-based threat analysis service accurately identifies the injector used in this campaign as malicious.\r\nAutoFocus customers can track SockDetour activity via the SockDetour tag.\r\nWe advise server administrators to keep Windows servers up to date.\r\nThe YARA rule attached at the end of this blog can be used to detect the presence of SockDetour in memory.\r\nOrganizations should conduct an incident response investigation if they think they are compromised by SockDetour. If you\r\nthink you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or\r\ncall North America Toll-Free: 866.486.4842 (866.4.UNIT42), EMEA: +31.20.299.3130, APAC: +65.6983.8730 or Japan:\r\n+81.50.1790.0200.\r\nIndicators of Compromise\r\nSockDetour PE\r\n0b2b9a2ac4bff81847b332af18a8e0705075166a137ab248e4d9b5cbd8b960df\r\nPowerSploit Memory Injectors Delivering SockDetour\r\n80ed7984a42570d94cd1b6dcd89f95e3175a5c4247ac245c817928dd07fc9540\r\nbee2fe0647d0ec9f2f0aa5f784b122aaeba0cddb39b08e3ea19dd4cdb90e53f9\r\na5b9ac1d0350341764f877f5c4249151981200df0769a38386f6b7c8ca6f9c7a\r\n607a2ce7dc2252e9e582e757bbfa2f18e3f3864cb4267cd07129f4b9a241300b\r\n11b2b719d6bffae3ab1e0f8191d70aa1bade7f599aeadb7358f722458a21b530\r\ncd28c7a63f91a20ec4045cf40ff0f93b336565bd504c9534be857e971b4e80ee\r\nebe926f37e7188a6f0cc85744376cdc672e495607f85ba3cbee6980049951889\r\n3ea2bf2a6b039071b890f03b5987d9135fe4c036fb77f477f1820c34b341644e\r\n7e9cf2a2dd3edac92175a3eb1355c0f5f05f47b7798e206b470637c5303ac79f\r\nbb48438e2ed47ab692d1754305df664cda6c518754ef9a58fb5fa8545f5bfb9b\r\nPublic Key Embedded in SocketDetour\r\nhttps://unit42.paloaltonetworks.com/sockdetour/\r\nPage 4 of 5\n\n-----BEGIN PUBLIC KEY-----\r\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWD9BUhQQZkagIIHsCdn/wtRNXcYoEi3Z4PhZkH3mar20EONVyXWP/YUxyUmxD+aT\r\n----END PUBLIC KEY-----\r\nYARA Rule for Detecting SockDetour in Memory\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\nrule apt_win_sockdetour\r\n{\r\nmeta:\r\nauthor = \"Unit 42 - PaloAltoNetworks\"\r\ndate = \"2022-01-23\"\r\ndescription = \"Detects SockDetour in memory or in PE format\"\r\nhash01 = \"0b2b9a2ac4bff81847b332af18a8e0705075166a137ab248e4d9b5cbd8b960df\"\r\nstrings:\r\n$public_key =\r\n\"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWD9BUhQQZkagIIHsCdn/wtRNXcYoEi3Z4PhZkH3mar20EONVyXWP/YUxyU\r\n$json_name_sequence = {61 70 70 00 61 72 67 73 00 00 00 00 73 6F 63 6B 00 00 00 00 6B 65 79 00 61 72 67 73 00 00}\r\n$verification_bytes = {88 [4] A0 [4] 90 [4] 82 [4] FD [4] F5 [4] FB [4] EF}\r\n$data_block = {08 [4] 1C [4] C1 [4] 78 [4] D4 [4] 13 [4] 3A [4] D7 [4] 0F [4] AB [4] B3 [4] A2 [4] B8 [4] AE [4] 63 [4] BB [4] 03 [4] E8 [4] FF\r\n$initial_vector = {62 [4] 76 [4] 79 [4] 69 [4] 61 [4] 66 [4] 73 [4] 7A [4] 6D [4] 6B [4] 6A [4] 73 [4] 6D [4] 71 [4] 67 [4] 6C}\r\ncondition:\r\nany of them\r\n}\r\nSource: https://unit42.paloaltonetworks.com/sockdetour/\r\nhttps://unit42.paloaltonetworks.com/sockdetour/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/sockdetour/"
	],
	"report_names": [
		"sockdetour"
	],
	"threat_actors": [
		{
			"id": "0a80df4d-5ab7-4ca3-809d-8ef7b5a54f1f",
			"created_at": "2023-11-21T02:00:07.386886Z",
			"updated_at": "2026-04-10T02:00:03.474764Z",
			"deleted_at": null,
			"main_name": "TiltedTemple",
			"aliases": [
				"Circle Typhoon",
				"DEV-0322"
			],
			"source_name": "MISPGALAXY:TiltedTemple",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434806,
	"ts_updated_at": 1775826756,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3a85defdd68ea44db0c8f2c991351e6611dd3344.pdf",
		"text": "https://archive.orkl.eu/3a85defdd68ea44db0c8f2c991351e6611dd3344.txt",
		"img": "https://archive.orkl.eu/3a85defdd68ea44db0c8f2c991351e6611dd3344.jpg"
	}
}