{
	"id": "8c00ac9e-c8ff-4c7e-8aad-1dd0c4f6b1dd",
	"created_at": "2026-04-06T00:17:36.752102Z",
	"updated_at": "2026-04-10T03:27:16.171275Z",
	"deleted_at": null,
	"sha1_hash": "bff30f982f6b62f6c6a8b2738a5f381b34ecbd79",
	"title": "Kaspersky discovers poorly detected backdoor, targeting governments and NGOs around the globe",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 166848,
	"plain_text": "Kaspersky discovers poorly detected backdoor, targeting\r\ngovernments and NGOs around the globe\r\nBy Kaspersky\r\nPublished: 2022-06-30 · Archived: 2026-04-05 22:28:38 UTC\r\nKaspersky experts have brought to light a poorly detected SessionManager backdoor that was set up as a\r\nmalicious module within the Internet Information Services (IIS), a popular web server edited by Microsoft.\r\nOnce propagated, SessionManager enables a wide range of malicious activities, starting from collecting\r\nemails to complete control over the victim’s infrastructure. First leveraged in late March 2021, the newly\r\ndiscovered backdoor has hit governmental institutions and NGOs in Africa, South Asia, Europe and the\r\nMiddle East. Most of the targeted organizations are still compromised to date.\r\nIn December 2021, Kaspersky uncovered “Owowa”, a previously unknown IIS module that steals credentials\r\nentered by a user when logging into Outlook Web Access (OWA). Since then, the company’s experts have kept an\r\neye on the new opportunity for cybercriminal activity – it has become clear that deploying a backdoor within IIS\r\nis a trend for threat actors, who previously exploited one of the “ProxyLogon-type” vulnerabilities within\r\nMicrosoft Exchange servers. In a recent investigation, Kaspersky experts came across a new unwanted module\r\nbackdoor, dubbed SessionManager.\r\nThe SessionManager backdoor enables threat actors to keep persistent, update-resistant and rather stealth access to\r\nthe IT infrastructure of a targeted organization. Once dropped into the victim’s system, cybercriminals behind the\r\nbackdoor can gain access to company emails, update further malicious access by installing other types of malware\r\nor clandestinely manage compromised servers, which can be leveraged as malicious infrastructure.\r\nA distinctive feature of SessionManager is its poor detection rate. First discovered by Kaspersky researchers in\r\nearly 2022, some of the backdoor samples were still not flagged as malicious in most popular online file scanning\r\nservices. To date, SessionManager is still deployed in more than 90% of targeted organizations according to an\r\nInternet scan carried out by Kaspersky researchers.\r\nOverall, 34 servers of 24 organizations from Europe, the Middle East, South Asia and Africa were compromised\r\nby SessionManager. The threat actor who operates SessionManager shows a special interest in NGOs and\r\ngovernment entities, but medical organizations, oil companies, transportation companies, among others, have been\r\ntargeted as well.\r\nhttps://www.kaspersky.com/about/press-releases/2022_kaspersky-discovers-poorly-detected-backdoor-targeting-governments-and-ngos-around-the-globe\r\nPage 1 of 3\n\nMap of organizations targeted by SessionManager campaign\r\nBecause of a similar victimology and the use of the common “OwlProxy” variant, Kaspersky experts believe that\r\nthe malicious IIS module might have been leveraged by the GELSEMIUM threat actor, as part of its espionage\r\noperations.\r\n“The exploitation of exchange server vulnerabilities has been a  favorite of cybercriminals looking to get into\r\ntargeted infrastructure since Q1 2021. It notably enabled a series of long unnoticed cyberespionage campaigns.\r\nThe recently discovered SessionManager was poorly detected for a year and is still deployed in the wild. Facing\r\nmassive and unprecedented server-side vulnerability exploitation, most cybersecurity actors were busy\r\ninvestigating and responding to the first identified offences. As a result, it is still possible to discover related\r\nmalicious activities months or years later, and this will probably be the case for a long time,” comments Pierre\r\nDelcher, Senior Security Researcher at Kaspersky’s Global Research and Analysis team.\r\n“Gaining visibility into actual and recent cyberthreats is paramount for companies to protect their assets. Such\r\nattacks may result in significant financial or reputational losses and may disrupt a target’s operations. Threat\r\nintelligence is the only component that can enable reliable and timely anticipation of such threats. In the case of\r\nExchange servers, we cannot stress it enough: the past-year’s vulnerabilities have made them perfect targets,\r\nwhatever the malicious intent, so they should be carefully audited and monitored for hidden implants, if they were\r\nnot already,” adds Pierre.\r\nhttps://www.kaspersky.com/about/press-releases/2022_kaspersky-discovers-poorly-detected-backdoor-targeting-governments-and-ngos-around-the-globe\r\nPage 2 of 3\n\nKaspersky products detect several malicious IIS modules, including SessionManager. To learn more about\r\nSessionManager’s operation style and targets, visit Securelist.com.\r\nTo protect your businesses from such threats, Kaspersky experts also recommend that you:\r\nRegularly check loaded IIS modules on exposed IIS servers (notably Exchange servers), leveraging\r\nexisting tools from the IIS servers suite. Check for such modules as part of your threat hunting activities\r\nevery time a major vulnerability is announced on Microsoft server products.\r\nFocus your defense strategy on detecting lateral movements and data exfiltration to the internet. Pay\r\nspecial attention to outgoing traffic to detect cybercriminal connections. Back up data regularly. Make sure\r\nyou can quickly access it in an emergency.\r\nUse solutions like Kaspersky Endpoint Detection and Response and the Kaspersky Managed Detection and\r\nResponse service, which help to identify and stop the attack in the early stages, before the attackers achieve\r\ntheir goals.\r\nUse a reliable endpoint security solution, such as Kaspersky Endpoint Security for Business (KESB) that is\r\npowered by exploit prevention, behavior detection and a remediation engine that is able to roll back\r\nmalicious actions. KESB also has self-defense mechanisms that can prevent its removal by cybercriminals.\r\nAbout Kaspersky\r\nKaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat\r\nintelligence and security expertise is constantly transforming into innovative security solutions and services to\r\nprotect businesses, critical infrastructure, governments and consumers around the globe. The company’s\r\ncomprehensive security portfolio includes leading endpoint protection and a number of specialized security\r\nsolutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by\r\nKaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more\r\nat www.kaspersky.com.\r\nSource: https://www.kaspersky.com/about/press-releases/2022_kaspersky-discovers-poorly-detected-backdoor-targeting-governments-and-ngo\r\ns-around-the-globe\r\nhttps://www.kaspersky.com/about/press-releases/2022_kaspersky-discovers-poorly-detected-backdoor-targeting-governments-and-ngos-around-the-globe\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.kaspersky.com/about/press-releases/2022_kaspersky-discovers-poorly-detected-backdoor-targeting-governments-and-ngos-around-the-globe"
	],
	"report_names": [
		"2022_kaspersky-discovers-poorly-detected-backdoor-targeting-governments-and-ngos-around-the-globe"
	],
	"threat_actors": [
		{
			"id": "2d4d2356-8f9e-464d-afc6-2403ce8cf424",
			"created_at": "2023-01-06T13:46:39.290101Z",
			"updated_at": "2026-04-10T02:00:03.275981Z",
			"deleted_at": null,
			"main_name": "Gelsemium",
			"aliases": [
				"狼毒草"
			],
			"source_name": "MISPGALAXY:Gelsemium",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "77874718-7ad2-4d15-9831-10935ab9bcbe",
			"created_at": "2022-10-25T15:50:23.619911Z",
			"updated_at": "2026-04-10T02:00:05.349462Z",
			"deleted_at": null,
			"main_name": "Gelsemium",
			"aliases": [
				"Gelsemium"
			],
			"source_name": "MITRE:Gelsemium",
			"tools": [
				"Gelsemium",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b5550c4e-943a-45ea-bf67-875b989ee4c4",
			"created_at": "2022-10-25T16:07:23.675771Z",
			"updated_at": "2026-04-10T02:00:04.707782Z",
			"deleted_at": null,
			"main_name": "Gelsemium",
			"aliases": [
				"Operation NightScout",
				"Operation TooHash"
			],
			"source_name": "ETDA:Gelsemium",
			"tools": [
				"ASPXSpy",
				"ASPXTool",
				"Agentemis",
				"BadPotato",
				"CHINACHOPPER",
				"China Chopper",
				"Chrommme",
				"Cobalt Strike",
				"CobaltStrike",
				"FireWood",
				"Gelsemine",
				"Gelsenicine",
				"Gelsevirine",
				"JuicyPotato",
				"OwlProxy",
				"Owowa",
				"SAMRID",
				"SessionManager",
				"SinoChopper",
				"SpoolFool",
				"SweetPotato",
				"WolfsBane",
				"cobeacon",
				"reGeorg"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434656,
	"ts_updated_at": 1775791636,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bff30f982f6b62f6c6a8b2738a5f381b34ecbd79.pdf",
		"text": "https://archive.orkl.eu/bff30f982f6b62f6c6a8b2738a5f381b34ecbd79.txt",
		"img": "https://archive.orkl.eu/bff30f982f6b62f6c6a8b2738a5f381b34ecbd79.jpg"
	}
}