Analysts from Solar 4RAYS have documented a previously unknown backdoor, dubbed IDFKA, used in targeted cyber‑espionage campaigns against Russian telecommunications companies. The Rust-based malware remained undetected in the infrastructure of an IT contractor and its telecom customers for at least ten months, highlighting the growing sophistication of attacks on critical communications infrastructure.
Discovery of IDFKA: anomalous PostgreSQL activity in a telecom supply chain
The investigation began in late May 2025, when specialists observed abnormal activity in a PostgreSQL database cluster operated by an IT service provider for several telecom operators. Commands were executed under a privileged service account that were not typical for legitimate database administration, indicating the database management system was being abused as both an entry point and a persistence mechanism inside the network.
Supply‑chain exposure of this kind is particularly dangerous for telecom operators. Compromising a contractor with broad access to databases and management consoles can give attackers indirect but deep visibility into multiple operators’ environments, bypassing perimeter defenses and traditional network segmentation.
Two independent threat groups in the same telecom environment
Further analysis showed that the contractor’s network was being targeted simultaneously by two separate threat clusters: the well‑known Asia‑based espionage group Snowy Mogwai and a less documented cluster tracked as NGC5081. The new IDFKA backdoor was attributed to NGC5081, which also deployed the previously known Tinyshell toolset.
Solar 4RAYS concluded that NGC5081 and Snowy Mogwai operated in parallel without coordination. The groups used distinct command‑and‑control (C2) infrastructures, different evasion techniques, and infected overlapping but not identical sets of systems. Such “multi‑tenant” compromises, where several actors coexist in the same victim environment, have become more frequent globally and significantly complicate incident response and attribution, as also seen in past large‑scale incidents involving Microsoft Exchange and major software supply‑chain breaches.
Technical profile of the Rust-based IDFKA backdoor
Researchers determined that IDFKA was written from scratch in Rust. The Rust ecosystem has become increasingly popular among advanced threat actors because it enables cross‑platform, memory‑safe and harder‑to‑analyze binaries. The name “IDFKA” references the famous “IDKFA” cheat code from the game Doom, which granted all keys and weapons—an apt metaphor for a backdoor that gives attackers extensive control over compromised hosts.
Custom L4 protocol, encryption, and resilient C2 channels
One of IDFKA’s most notable features is the use of a custom layer‑4 (L4) protocol over IP. Instead of relying solely on standard TCP or UDP flows, the malware crafts its own packets on top of IP. This strategy allows it to bypass many intrusion detection systems that focus on well‑known protocols such as HTTP, TLS, or DNS. Traffic can appear as generic IP packets without easily recognizable signatures.
The main payload is encrypted with AES in ECB mode and can only be decrypted if a specific environment variable, TRM64CFG, is present. This design hinders static analysis and sandboxing, because captured samples may not fully reveal their functionality outside the original execution environment.
To maximize resilience, IDFKA supports multiple C2 communication channels, including TCP/UDP, ICMP, HTTP, and custom proprietary protocols. Such redundancy enables the operators to maintain control even if some channels are blocked or monitored, complicating efforts by defenders to fully disrupt the infrastructure.
Espionage functionality: network reconnaissance and credential theft
The feature set of IDFKA aligns with mature cyber‑espionage platforms. The backdoor supports remote command execution, internal network scanning, SSH brute‑force attacks, and credential harvesting.
For credential theft and stealth monitoring, IDFKA leverages ptrace and eBPF:
ptrace is a legitimate Linux debugging interface that allows one process to observe and control another. Abuse of ptrace enables attackers to intercept sensitive data such as passwords from running processes.
eBPF (extended Berkeley Packet Filter) is a powerful in‑kernel technology increasingly adopted for observability and performance monitoring. When misused, it provides attackers with a stealthy way to hook into kernel‑level events, monitor network traffic, or hide malicious activity. Several modern Linux threats have begun to incorporate eBPF for rootkit‑like capabilities, making detection significantly more challenging for traditional security tools.
Stealth techniques and long-term persistence in Linux environments
IDFKA was engineered with a clear focus on stealth and log manipulation. Malicious binaries were disguised as legitimate Linux system services and placed in standard executable directories, reducing the chance of raising suspicion during routine checks.
Interestingly, the attackers deliberately avoided configuring automatic startup for the malware. In the targeted telecom environments, core systems and databases are rarely rebooted, sometimes running for years without downtime. By not modifying autostart mechanisms, the operators minimized additional forensic artifacts while still achieving stable, long‑term persistence.
The earliest known IDFKA sample dates to November 2024, although compromise indicators suggest intrusion activity beginning around September 2024. During this period, the attackers manually deleted or altered log entries, including wtmp and lastlog files, and manipulated forensic artifacts to erase traces of their presence. As a result, NGC5081 maintained access for at least ten months—dramatically longer than current global medians. Recent industry reports, such as Mandiant’s M‑Trends 2024, cite typical median dwell times closer to a few weeks, underscoring the effectiveness of the group’s tradecraft.
Targeting telecom operators and suspected origin of NGC5081
Within days of deploying IDFKA in the contractor’s environment, the attackers compromised the PostgreSQL clusters of a first telecom customer, and in April 2025 they gained access to another operator’s database infrastructure. This provided visibility into subscriber databases and call metadata, including call detail records (CDRs).
Although there is no conclusive evidence of large‑scale data exfiltration, the mere ability to access and selectively query subscriber data and call patterns introduces serious privacy and security risks. Such information can be weaponized for targeted surveillance, social‑engineering campaigns, or follow‑on intrusions against high‑value individuals and organizations.
At the time of publication, the C2 infrastructure used by NGC5081 remained active, with configuration updates observed as late as September 2025. This indicates that IDFKA continues to be part of the group’s active toolkit and may be deployed in future campaigns beyond the telecom sector. While direct attribution remains unconfirmed, overlaps in infrastructure with Tinyshell and several behavioral characteristics point to a likely East Asian origin, consistent with other espionage operations in the region.
Researchers classify IDFKA as a highly developed espionage platform, comparable in complexity to advanced RAT families such as GoblinRAT. For telecom operators and their suppliers, the case underlines the need for strict control of privileged accounts, continuous auditing of database activity, and monitoring for anomalies at both network and host levels. Priorities should include hardening PostgreSQL and other DBMSs, enforcing multi‑factor authentication and just‑in‑time access for administrative accounts, detecting abuse of ptrace and eBPF, and deploying network security tools capable of analyzing non‑standard IP protocols and covert ICMP channels. Rapid implementation of the indicators of compromise (IOCs) and YARA rules released by Solar 4RAYS, combined with proactive threat‑hunting in critical infrastructure segments, can significantly reduce the window of undetected access for backdoors like IDFKA and strengthen the overall resilience of telecom networks.
