EchoBackdoor

EchoBackdoor is a passive ICMP-based backdoor used in 2024 intrusions against telecommunications providers and critical telecom infrastructure in Southeast Asia/Southwest Asia. It is associated with the nation-state-linked cluster CL-STA-0969, which Unit 42 assessed overlaps heavily with the China-linked group Liminal Panda, with additional tooling overlaps noted with Light Basin, UNC3886, UNC2891, and UNC1945. EchoBackdoor listens for encrypted command-and-control instructions in inbound ICMP echo request packets, reconstructs and executes the received commands, and returns execution results in ICMP echo reply packets. Reporting also states that the reply traffic is sent via unencrypted ICMP echo reply packets. By using ICMP and operating passively without requiring conventional outbound connections, it is intended to make detection harder. In the broader campaign, the actor likely gained initial access via SSH brute-force attacks against telecom authentication systems, used Linux privilege-escalation exploits including CVE-2016-5195, CVE-2021-4034, and CVE-2021-3156, and maintained stealth through DNS tunneling, routing traffic through compromised mobile operators, log clearing, process masquerading, timestomping, and disabling SELinux. EchoBackdoor was part of a larger toolkit that included AuthDoor, GTPDoor, ChronosRAT, NoDepDNS, Cordscan, and an SGSN emulator used in telecom environments. The campaign showed deep knowledge of telecom protocols and infrastructure, and although no confirmed data exfiltration was reported in investigated cases, the activity suggested preparation for persistent espionage and possible collection of mobile subscriber or location-related data.