VERY IMPORTANT

A new modular backdoor called ShadowRelay was discovered on a compromised Exchange server in a government organization. The backdoor allows loading different plugins and demonstrates sophisticated design indicative of well-prepared attackers. It uses packet injection to hide network activity and can spy covertly in protected network segments by communicating through infected machines. The backdoor can inject itself into other processes and uses plugins to load additional functionality, allowing it to evade detection. These capabilities suggest the attackers aim for long-term covert presence and espionage, typical of state-sponsored APT groups. The backdoor was found alongside tools from other known threat actors, complicating attribution.