{
	"id": "75e0b4dd-e756-4689-afad-5633a9a67d16",
	"created_at": "2026-04-06T00:18:05.075562Z",
	"updated_at": "2026-04-10T03:20:20.011998Z",
	"deleted_at": null,
	"sha1_hash": "d50ee03394c4a63e3f3a18dd3eae63705a890b13",
	"title": "The p0sT5n1F3r Backdoor",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 90648,
	"plain_text": "The p0sT5n1F3r Backdoor\r\nBy Mario Ciccarelli\r\nPublished: 2019-10-16 · Archived: 2026-04-05 17:08:12 UTC\r\nBy Mario Ciccarelli in malware analysis — 16 Oct 2019\r\nP0sT5n1F3r, a stealthy Apache backdoor built to sniff HTTPS traffic. Undetected by anti-malware platforms, the\r\nmodule used RC4 encryption to hide its activities. Reverse engineering revealed the key, exposing a targeted\r\npayload designed to steal credit card data.\r\nHow does a malicious backdoor designed to sniff sensitive HTTPS traffic go completely undetected?\r\nDuring an IR case, we found and dissected a highly targeted malware sample, a custom Apache module we\r\ncall p0sT5n1F3r . \r\nThis threat was specifically engineered for its target's environment and was rated 100% clean by all major security\r\nvendors due to its extensive use of custom encryption.\r\nThis report details the reverse engineering journey, from the initial static analysis to the critical breakthrough:\r\ncracking its custom RC4 encryption scheme. This discovery allowed us to unveil its true purpose—intercepting\r\nfinancial transaction data—and even uncover a hidden HTML interface used by the attackers.\r\nRead the full technical deep dive to learn how this threat was unmasked.\r\nSource: https://blog.kartone.ninja/the-p0st5n1f3r-backdoor/\r\nhttps://blog.kartone.ninja/the-p0st5n1f3r-backdoor/\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.kartone.ninja/the-p0st5n1f3r-backdoor/"
	],
	"report_names": [
		"the-p0st5n1f3r-backdoor"
	],
	"threat_actors": [],
	"ts_created_at": 1775434685,
	"ts_updated_at": 1775791220,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d50ee03394c4a63e3f3a18dd3eae63705a890b13.pdf",
		"text": "https://archive.orkl.eu/d50ee03394c4a63e3f3a18dd3eae63705a890b13.txt",
		"img": "https://archive.orkl.eu/d50ee03394c4a63e3f3a18dd3eae63705a890b13.jpg"
	}
}