According to a report released by Kaspersky in mid-July 2025, a sophisticated malware campaign called GhostContainer is quietly taking place targeting Microsoft Exchange servers in government agencies and tech businesses in Asia. The campaign took advantage of existing vulnerabilities on unpatched Exchange servers to install backdoors, maintaining control of the system for long periods of time without being detected.

GhostContainer was noted to exploit the CVE-2020-0688 vulnerability, a deserialization error that exists in the Exchange Control Panel. The vulnerability was long publicized, however many systems remain unpatched, making it an ideal target for APT groups. By exploiting this vulnerability, malicious code implants a malicious file called App Web Containerer 1.dll into the system and begins executing a pre-programmed attack sequence.

GhostContainer.png

GhostContainer’s architecture consists of three layers, each taking a distinct role in maintaining access, hiding activity, and creating hidden communication channels:

  • The first component in GhostContainer’s architecture is the Stub, the starter responsible for activating the entire attack process. Once executed, Stub conducts a system environment check, determining the proper conditions to load successive components undetected. It serves as a central coordinator, ensuring malicious code runs safely, in time, and can avoid behavioral or sandbox – based detection measures.
  • The second component, named App_Web_843e75cf5b63, is specifically designed to perform virtual page injection. The goal of this class is to create ghost pages in memory that do not exist on the physical file system, thus enabling malicious code to evade operating system and security software surveillance. This approach allowed GhostContainer to survive sustainably without visible signs, a common tactic in APT campaigns that needed to maintain a long standing.
  • The final component, App Web 8c9b251fb5b3, which acts as a web proxy incorporating the TCP tunneling engine, was developed based on the open-source Neo-reGeorg variant. It allows GhostContainer to set up fully camouflaged communication channels using customizable HTTP header such as Qprtfva and Dzvvlnwkccf to transmit control commands. This allows the attacker to interact with the compromised server without the need for a fixed C2 infrastructure, making the malicious traffic look no different than valid web sessions, a highly effective trick to fool a network detection system.

Once implemented, GhostContainer deactivates system protection mechanisms such as the Antimalware Scan Interface and the Windows event log by overwriting functions in the amsi.dll and ntdll. dll libraries. The malicious code also extracts the ASP.NET validation key from the Exchange server configuration, then uses the SHA-256 algorithm to create a 32-byte AES key that serves to encrypt communications with the control server. This will encode all the command stream and feedback data, making detection more difficult.

GhostContainer supports up to fourteen control commands, ranging from shellcode execution, command line running, downloading.NET code, to file logging, remote data loading, and concurrent HTTP POST requests to multiple addresses. The malicious code is implemented as a dynamic.NET library (DLL), which is implanted into Exchange’s web application directory and executed as a legal component in the ASP. NET environment. This approach made it easier for GhostContainer to blend into the legal infrastructure, avoid attention, and remain sustainable in the system. The campaign also showed clear signs of open source tool reuse and refinement: the malware contained identifier XML strings identical to ExchangeCmdPy.py, while web proxies were implemented based on the Neo-reGeorg variant. Leveraging available tools not only shortens development time but also makes hidden offensive behavior better, making it harder for traditional anti-polymer solutions to detect.

A worrying feature of this campaign was that GhostContainer did not establish a permanent outbound communication channel. Instead, the attacker accesses the Exchange server from the outside, sending fully camouflaged control commands within the legal traffic, allowing them to maintain control of the system without explicit C2 infrastructure. This approach not only increases the anonymity but also reduces the detectability through network traffic analysis.

According to Kaspersky Analysis, at least two targets were successfully infiltrated, including a government agency and a large tech group in Asia. The choice of Exchange as the target indicates the attacker’s depth of understanding of IT infrastructure in corporate and government environments. GhostContainer is not merely a regular malware, but the product of a highly skilled, tooled APT team that understands how the Exchange system works and knows how to hide inside the digital infrastructure.

The GhostContainer campaign was a strong reminder that N-day vulnerabilities cannot be overlooked, especially with core systems such as Microsoft Exchange. In the context of many organizations still not fully applying security patches, maintaining a tight monitoring mechanism and analyzing irregular behavior in internal applications is the last line of defense against sophisticated threats such as GhostContainer.

WhiteHat