In June 2025, cybersecurity researchers identified a new malware strain named YiBackdoor, which poses a significant threat to organizations globally. This advanced backdoor malware allows attackers to execute arbitrary commands, capture screenshots, gather sensitive system information, and deploy additional malicious plugins on compromised systems.
Connections to Established Malware Families
YiBackdoor exhibits notable code similarities with known malware such as IcedID and Latrodectus, indicating possible collaboration among threat actor groups or shared development resources. IcedID, initially a banking trojan like Zloader and Qakbot, has evolved into a tool for providing initial access to ransomware operators. YiBackdoor appears to be following a similar path, potentially serving as a gateway for more destructive cyberattacks.
Advanced Evasion Techniques
Analysts from Zscaler discovered YiBackdoor through extensive threat-hunting activities. The malware employs sophisticated anti-analysis techniques to evade detection by security researchers and automated sandbox environments. It includes advanced virtual environment detection methods, identifying hypervisors such as VMware, Xen, KVM, VirtualBox, Microsoft Hyper-V, and Parallels systems.
The limited deployment patterns of YiBackdoor suggest it may still be in development or testing phases. However, its advanced capabilities and connections to established malware families indicate that broader deployment campaigns could emerge as development progresses. The use of local IP addresses in its configuration files further supports the assessment that YiBackdoor remains in active development.
Sophisticated Code Injection and Persistence Mechanisms
YiBackdoor employs a unique process injection technique that distinguishes it from conventional malware families. It targets legitimate system processes, specifically svchost.exe, for its injection operations.
During initialization, YiBackdoor checks whether it is already running within an injected process by examining its current memory address against loaded DLL ranges. If not yet injected, it creates a new svchost.exe process and begins the injection sequence. The malware allocates memory within the target process and copies its malicious code into the newly created memory region.
A notable aspect of YiBackdoor’s injection technique involves patching the Windows API function RtlExitUserProcess with custom assembly code. This patch redirects execution flow to YiBackdoor’s entry point when the function is called, effectively hijacking the process termination sequence.
The malware also includes a hypervisor detection mechanism to evade virtualized environments. The following code demonstrates this technique:
“`cpp
[[nodiscard]] bool isHyperVisor()
{
uint64_t timer1 = 0;
uint64_t timer2 = 0;
int loop_counter = 16;
int cpuInfo[4] = { 0 };
while (loop_counter)
{
SwitchToThread();
uint64_t first_rdtsc_timer_value = __rdtsc();
__cpuid(cpuInfo, 1);
timer1 += __rdtsc() – first_rdtsc_timer_value;
SwitchToThread();
uint64_t second_rdtsc = __rdtsc();
uint64_t third_rdtsc = __rdtsc();
timer2 += ((third_rdtsc – second_rdtsc));
loop_counter–;
}
return (timer1 > 20);
}
“`
To establish persistence, YiBackdoor manipulates the Windows Registry. It copies itself to a randomly named directory and creates registry entries using regsvr32.exe for automatic execution upon system startup. The malware generates pseudo-random values for registry key names using Microsoft’s Linear Congruential Generator algorithm, making detection through static signatures more challenging for security products.
Implications and Recommendations
The emergence of YiBackdoor underscores the evolving sophistication of cyber threats. Organizations are advised to implement robust security measures, including regular system updates, comprehensive monitoring, and employee training to recognize potential threats. Deploying advanced endpoint detection and response solutions can also help identify and mitigate such sophisticated malware.
