This backdoor's most notable feature is its communication with a command-and-control server via DNS traffic. The code for the DNS tunnelling tool is based on the publicly available dnscat2 tool, which receives commands by performing name resolution.

Msupedge receives commands via DNS traffic and uses the resolved IP address of the C&C server (ctl.msedeapi[.]net) as a command. The third octet of the resolved IP address acts as a switch case, altering the backdoor's behaviour based on the value of the third octet minus seven.

The initial intrusion likely exploited a recently patched PHP vulnerability (CVE-2024-4577), a CGI argument injection flaw affecting all versions of PHP installed on the Windows operating system. Successful exploitation can lead to remote code execution.

Symantec has observed multiple threat actors scanning for vulnerable systems in recent weeks. However, no evidence has been found to attribute this threat, and the motive behind the attack remains unknown.

This technique can be more challenging to detect compared to more obvious methods like HTTP or HTTPS tunnelling, as DNS traffic is generally considered benign and often overlooked by security tools.

Earlier in June, researchers discovered a campaign by suspected Chinese state-sponsored hackers, known as RedJuliett, targeting dozens of organisations in Taiwan, including universities, state agencies, electronics manufacturers, and religious organisations.

Researchers said that like many other Chinese threat actors, the group likely targeted vulnerabilities in internet-facing devices such as firewalls and enterprise VPNs for initial access, as these devices often have limited visibility and security solutions.