Cybersecurity researchers from Point Wild’s Lat61 Threat Intelligence Team have released new findings on the malware operation known as Backdoor.Win32.Buterat. The program is designed for long-term infection, enabling attackers to breach government and enterprise networks, steal sensitive information, and drop additional malicious tools.
Infection commonly occurs via phishing emails or fake malicious downloads, and once inside the system, the malware hides in normal processes and alters registry keys to survive reboots and remain in place.
The backdoor’s operators use advanced process- and thread-manipulation techniques to avoid detection. In particular, they leverage SetThreadContext and ResumeThread to hijack execution flow and mask activity from security alerts.
The backdoor communicates with remote command-and-control (C2) servers using encrypted and obfuscated channels, making detection via normal network monitoring difficult.
During live testing, researchers observed the malware dropping multiple payloads onto infected systems. Files named amhost.exe and bmhost.exe were placed in the Windows user directory, each designed to maintain control and extend attacker capabilities. The operation also attempted to contact a C2 server hosted at ginomp3.mooo.com, which serves as the remote control hub for exfiltration and command execution.
Researchers noted that the Buterat campaign was initially observed targeting government and enterprise networks. In a blog post shared with Hackread.com ahead of publication, the Point Wild team detailed the operation’s techniques and observed its stealthy behavior.
‘Buterat speaks softly, but carries a big stick,’ said Dr. Zulfikar Ramzan, CTO of Point Wild, underscoring that the backdoor hijacks legitimate threads, blends in as a normal process, and quietly phones home.
To defend against Buterat, experts advise implementing endpoint protection, behavioral analytics, and rigorous network monitoring, especially for suspicious domains. They also emphasize employee training and cautious handling of emails and software downloads to reduce exposure to phishing and trojanized software.