DOORME
DOORME is a malicious native IIS (Internet Information Services) backdoor module deployed to internet-facing web servers running IIS to provide covert remote access. Elastic Security Labs reported it as part of the REF2924 intrusion set and observed it in environments that also contained SIESTAGRAPH, NAPLISTENER, SOMNIRECORD, SHADOWPAD, and COBALTSTRIKE. Elastic previously observed DOORME targeting the Foreign Ministry of an ASEAN member nation in December 2022, and also identified an identically configured DOORME backdoor on an internet-connected Exchange server at a telecommunications provider in Afghanistan.
DOORME is implemented as a malicious C++ DLL that uses the RegisterModule export to load into IIS and register event handlers. It overrides the IIS OnGlobalPreBeginRequest event handler to inspect and process inbound web requests before they enter the IIS pipeline. The malware uses XOR string obfuscation, anti-disassembly techniques, control-flow obfuscation, and dynamic API resolution to hinder analysis.
For operator authentication, DOORME checks for the string "79cfdd0e92b120faadd7eb253eb800d0" in a specific HTTP cookie. When it receives an authenticated HTTP GET request, it responds with "It works!" along with the username and hostname of the infected machine. For tasking, it accepts doubly encoded POST data in which commands are AES-encrypted and then Base64-encoded using a custom Base64 alphabet. It uses AES-CBC encryption with a key derived from the MD5 hash of the first 16 bytes of its authentication hash.
Observed command handlers include command 0x42, which generates a GUID via CoCreateGuid to identify the infected machine; command 0x43, which allocates memory with NtAllocateVirtualMemory and executes shellcode in-process with NtCreateThreadEx; command 0x63, which receives shellcode in chunks, reassembles it, and executes it; and command 0x44, which communicates with executing shellcode through a named pipe to send input and retrieve output.
Elastic associated REF2924-related campaigns with Winnti and ChamelGang based on shared malware, file names, techniques, victimology, and strategic targeting priorities, and assessed with moderate confidence that REF2924 is a regionally aligned, non-monetary threat group. Separately, Elastic later described a victim environment containing DOORME and assessed related REF2924 and REF5961 activity as state-sponsored espionage and China-nexus.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
DOORME is an IIS (Internet Information Services) backdoor module, which is deployed to web servers running the IIS software.
DOORME is an IIS (Internet Information Services) backdoor module, which is deployed to web servers running the IIS software.
Techniques & procedures
8 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 technique
Execution
This functionality is achieved by utilizing the Windows native functions NtAllocateVirtualMemory and NtCreateThreadEx... The sample will allocate an RWX-protected memory region using the VirtualAlloc Windows API, then write the shellcode to the memory region and pass execution to it.
Persistence
1 technique
Persistence
DOORME is a native backdoor module that is loaded into a victim's IIS infrastructure and used to provide remote access to the target infrastructure... The main functionality of the backdoor is implemented in the CGlobalModule class and its event handler, OnGlobalPreBeginRequest. This event handler is overridden by DOORME, allowing it to be loaded before a web request enters the IIS pipeline.
Privilege Escalation
1 technique
Privilege Escalation
Another command, ID 0x43, is particularly noteworthy as it allows the attacker to execute shellcode in the memory of the same process... using NtAllocateVirtualMemory and NtCreateThreadEx... Once log.dll is loaded, it will spawn Microsoft Windows Media Player (wmplayer.exe) and dllhost.exe, injecting into them.
Stealth
4 techniques
Stealth
DOORME XOR-encrypts strings to evade detection... The malware employs a technique that can cause disassemblers to incorrectly split functions... The malware in question also employs a technique known as Control Flow Obfuscation... Dynamic import table resolution... log.dll incorporates a code-scattering obfuscation technique to frustrate static analysis.
DOORME first resolves the address of LoadLibraryA and GetProcAddress Windows API by parsing the kernel32.dll module export table... The sample uses the common Ldr crawling technique to find the address of kernel32.dll... It uses GetProcAddress to resolve imports as needed.
Another command, ID 0x43, is particularly noteworthy as it allows the attacker to execute shellcode in the memory of the same process... using NtAllocateVirtualMemory and NtCreateThreadEx... Once log.dll is loaded, it will spawn Microsoft Windows Media Player (wmplayer.exe) and dllhost.exe, injecting into them.
Command and Control
2 techniques
Command and Control
The malicious IIS module backdoor operates by looking for the string ... in a specific cookie of the incoming HTTP requests... GET requests are used to perform a status check... The backdoor operator sends commands to the malware through HTTP POST requests as data which is doubly encrypted.
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as another malware example observed using control-flow flattening obfuscation.
A named implant/tool previously observed in the REF2924 intrusion set.
A malicious native IIS backdoor module loaded into victim web servers to provide remote access. It authenticates via crafted HTTP requests, decrypts attacker commands, can identify infected hosts, receive shellcode in chunks, execute shellcode in memory, and interact with executed payloads via named pipes.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.