<— Back

IDFKA Backdoor: The Hidden Threat of Rust Implants in Modern APT Campaigns

In the spring of 2025, we investigated an incident in which attackers exploited a PostgreSQL vulnerability to achieve remote code execution and deploy TinyShell. The adversaries demonstrated exceptional tradecraft: nearly all traces were wiped, malicious processes masqueraded as legitimate ones (e.g., “postgres: reader process”), and the implant existed solely in memory. SIEM analysis revealed C2 servers with domains spoofing the victim’s infrastructure and its ISP, including an address belonging to a third-party contractor. Further investigation within the contractor’s environment uncovered a custom Rust-based implant that the threat group had operated for over a year while remaining undetected. Subsequent analysis confirmed that other major organizations had also been compromised by this sophisticated APT campaign.

The identified implant supports a broad range of operational modes: from passive and active TCP to ICMP, implemented via raw sockets or the libpcap library with ICMP packet filtering. It also features so-called “magic” modes — spootftcp, magictcp, active and passive knock (port knocking), as well as a mode called future. The implant can conceal its own process and persist its last received configuration.

In this talk, we will:

• Dive deep into its operational modes, protocol implementation details, network infrastructure, and the full capabilities of the embedded backdoor.
• Share our experience — and the pain — of reverse engineering Rust malware, a language that, in the hands of attackers, turns into a true nightmare for analysts.
• Attempt to answer one lingering question: is its name somehow tied to the legendary DOOM?

This implant is unlike anything previously observed in the wild and undoubtedly deserves the attention of the community.