IDFKA Backdoor Infiltrates Russian Telecom Companies for 10 Months

Analysts at Solar 4RAYS discovered a new backdoor called IDFKA that compromised Russian telecommunications companies, allowing hackers to maintain access for over 10 months. The malware's primary objective was espionage, though researchers haven't determined what specific information the attackers sought.

Discovery and Initial Compromise

In late May 2025, specialists detected suspicious activity in an unnamed telecommunications operator's infrastructure. Unusual commands were executing through a PostgreSQL database using credentials from a service account belonging to an IT contractor.

The investigation revealed two separate hacker groups had simultaneously infiltrated the contractor's network: Snowy Mogwai, an Asian group conducting espionage operations, and NGC5081, a previously unknown group deploying the new IDFKA backdoor alongside the known Tinyshell malware.

The two groups operated independently without coordination. Evidence for this includes separate network infrastructure, different obfuscation techniques, and systems infected with only one malware type.