The Silent Listener: New DRBControl Backdoor Variant Uses Network Sniffing to Evade Detection
Japanese company Internet Initiative Japan (IIJ) has reported observing a new variant of the malware known as Type 1 Backdoor, which is attributed to the cyber-espionage group DRBControl. Analysis indicates that the attacks employ a sophisticated, multi-stage loading chain, while the backdoor itself has undergone several notable changes compared with previously documented samples.
DRBControl is an APT group first brought to light in 2020. At the time, researchers described it as the operator of a cyber-espionage campaign targeting, among others, the gambling sector, and suggested possible links to APT41 and APT272. IIJ’s latest findings indicate that the group’s activity may have continued in the years that followed.
During the investigation, analysts focused on a suspicious DLL uploaded to VirusTotal from Taiwan under the name wlbsctrl.dll. The file masqueraded as a legitimate Windows library and was likely executed via DLL side-loading. When its exported function was invoked, the file read data from ntuser.ini, injected it into the winlogon.exe process, and executed code within that context. This code consisted of shellcode that researchers believe to be a variant of the Mofu Loader.
Once executed, the shellcode dynamically resolved the addresses of key Windows APIs, decrypted embedded data, unpacked it, and passed control to the next stage—a Type 1 Backdoor DLL with a deliberately corrupted PE header. This technique, along with similarities in encryption algorithms and API usage, allowed IIJ to link the discovered loader with high confidence to the Mofu Loader family, which has previously been used to deliver other RATs and has appeared in campaigns conducted by multiple APT groups.
Type 1 Backdoor itself proved to be a mature remote access trojan written in C++. Compared with earlier versions, it introduces new persistence mechanisms: rather than modifying registry autorun keys, the malware copies a shortcut into each user’s startup folder, ensuring execution at logon. Researchers also identified an unusual method for retrieving configuration data—the backdoor can intercept specially crafted network packets in promiscuous mode and extract C2 server addresses and communication parameters from them. This approach eliminates the need to store such data within the file itself and significantly complicates analysis.
The codebase also contains remnants intended to fetch configuration via legitimate Microsoft online services, although this functionality was no longer active at the time of the study. Similar techniques have previously been observed in malware associated with APT41 and ShadowPad.
Structural analysis revealed a modular design: some functions were removed, while others were added, including remote desktop capabilities and network tunneling. The logic governing keylogging and clipboard monitoring was also revised—captured data is now stored under the guise of system files and encoded using a custom algorithm.
IIJ emphasizes that the differences between versions of Type 1 Backdoor do not resemble routine updates, but instead suggest a flexible architecture that allows the malware to be tailored to specific objectives. Given indications that DRBControl may have conducted operations over several years, experts urge organizations to maintain heightened vigilance and incorporate newly identified indicators of compromise into their defensive strategies.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
