A backdoor is a hidden mechanism that lets an attacker access a system while bypassing normal authentication controls. It doesn't depend on valid credentials, doesn't show up in audited login flows and, when well implemented, isn't even visible to legitimate administrators. It's the piece that turns a one-off compromise into persistent presence: the attacker breaks in once, plants the backdoor and returns at will without having to exploit anything again.
This guide covers what a backdoor actually is, how it differs from a trojan or a rootkit, the seven types found in forensic investigations (software, firmware, hardware, cryptographic, supply chain, account, source code), documented public cases (SolarWinds Sunburst, NotPetya, XZ Utils), how they map to MITRE ATT&CK and which technical detection and hardening measures work in corporate environments in 2026.
The essentials
- A backdoor is any mechanism (code, configuration, account or hardware) that grants access while bypassing the official authentication controls.
- It isn't always malware: it can be a forgotten account, a residual SSH key or an undocumented service.
- The seven categories relevant to defence are software, firmware, hardware, cryptographic, supply chain, account and source code.
- Documented public cases (SolarWinds, NotPetya, XZ Utils) show that a signed distribution channel is no guarantee of integrity.
- Detection requires EDR with behavioural baselines, SIEM with specific queries and periodic threat hunting; signature antivirus alone won't solve it.
What a backdoor is: a precise technical definition
A backdoor is any mechanism (code, configuration, hardware or credential) that allows access to a system or service while evading the intended authentication and authorisation controls. The term comes from development: during the seventies and eighties, programmers often left a "back door" in large systems to debug without requesting fresh credentials. The best-known example from that era is Ken Thompson's trusting trust attack, presented in his 1984 Turing Award lecture, where he showed how a compiler could contain an invisible backdoor that wasn't present in its source code.
The distinction between legitimate and malicious depends on context. A backdoor introduced for maintenance purposes, without documentation or credential rotation, is a security risk even if the original intent was benign. In forensic practice the distinction is irrelevant: if a hidden access channel exists that doesn't go through the official controls, it is a backdoor.
Backdoors aren't malware in the strict sense. They can be (a trojan implant leaves a RAT-type backdoor), but they can also be a forgotten admin account, an SSH key in authorized_keys, a service listening on a high port or a stolen code-signing certificate. The common property is functional: access that doesn't go through the legitimate front door.
How a backdoor gets installed
The installation vectors repeat across most incidents:
- Phishing plus dropper. The user executes an attachment or a link, the dropper deploys the backdoor and configures persistence.
- Supply chain. The attacker compromises a software or hardware provider and the backdoor arrives signed and validated through the legitimate channel.
- Insider. An employee or contractor with access deliberately introduces the backdoor before leaving the organisation.
- Firmware compromise. The attacker modifies BIOS, UEFI, BMC or peripheral firmware through physical interdiction or by exploiting update vulnerabilities.
- Post-exploitation. After a compromise via exploit (web shell on an exposed server, RCE in an internal service, credential abuse), the attacker leaves the backdoor as a return mechanism before withdrawing from the visible system.
The pattern in post-incident audits is that the initial backdoor isn't the most sophisticated. The attacker leaves several redundant mechanisms (new account, scheduled task, service, SSH key, web shell) so that defender clean-up removes some and leaves others active.
Backdoor types
Software backdoor
The most common category. Includes RAT (Remote Access Trojan), web shells, malicious modules loaded by legitimate applications and trojanised libraries. A typical web shell is a PHP, ASPX or JSP file uploaded to a vulnerable web server that receives commands via HTTP parameters and executes them with web process privileges. Documented families: China Chopper, Behinder, Godzilla.
RATs include interactive remote control (shell, file manager, screen capture) and form the basis of many APT campaigns. EDR detection is reasonable if the RAT touches disk or network observably, but in-memory variants, those abusing legitimate processes (process hollowing, reflective loading) or using encrypted C2 over HTTPS to trusted infrastructure are significantly harder.
Typical persistence: Run registry keys, scheduled tasks, Windows services, cron jobs, macOS LaunchAgents, WMI hooks.
Firmware backdoor
Implants in BIOS, UEFI, BMC, disk firmware, network card firmware. The advantage for the attacker is radical: they survive OS reinstall, survive disk replacement if the implant lives in BIOS, and operate below the level where antivirus and EDR run.
Publicly documented cases: LoJax (attributed to APT28, 2018), MoonBounce (2022) and MosaicRegressor (2020). Detection requires specific tools like CHIPSEC (Intel), firmware hash analysis and platform attestation using TPM with Measured Boot. Small attack surface, high impact, hard to remediate without physical replacement.
Hardware backdoor
Physical modifications: chips added to motherboards, USB cables with embedded microcontrollers (USB Rubber Ducky, O.MG Cable), peripheral implants. The most high-profile case was the 2018 Bloomberg story about alleged chips in Supermicro boards, rejected by the implicated companies and never confirmed publicly on technical grounds.
What is documented are the NSA ANT catalogues leaked in 2013, with implants for keyboard interception, RF exfiltration and firmware modification. Detection requires physical analysis (X-ray, comparison against reference samples) and is only viable in environments with specific threat models.
Cryptographic backdoor
The subtlest type: a deliberately weak cryptographic implementation that looks correct under superficial inspection but lets the attacker recover keys or predict outputs. The most studied academic case is Dual_EC_DRBG, a NIST-standardised random number generator with parameters that, if known by an attacker, allowed prediction of its output. NIST withdrew it in 2014.
Kleptography is the formal discipline: techniques to implant backdoors in cryptographic systems so the output remains indistinguishable from correct without the master key. Defence: audited implementations, verifiable curve parameters (brainpoolP256r1 over opaque curves), entropy source diversification.
Supply chain backdoor
The attacker compromises a provider whose legitimate update reaches thousands of customers signed and trusted. The paradigmatic case is SolarWinds Sunburst in 2020. Other documented incidents: NotPetya (M.E.Doc, 2017), CCleaner (2017), ASUS Live Update (2019) and XZ Utils (2024).
Defence rests on software supply chain controls: SBOM, reproducible signing, build attestation (SLSA), post-install behaviour monitoring and network segmentation for recently updated software.
Account backdoor
A legitimate account created or modified by the attacker to maintain access. In Active Directory: new account in Domain Admins, Kerberos golden ticket, ACL modification on AdminSDHolder, misconfigured constrained delegation, machine with attacker-owned SPN. In Linux: UID 0 user with an inconspicuous name, SSH key in authorized_keys, modified sudoers.
One of the most underestimated categories because there is no malicious binary, only configuration, and antivirus doesn't catch it. Defence: continuous auditing of privileged accounts, alerts on account creation and group membership changes, review of SSH keys and sudoers.
Source code backdoor
Malicious commits in open source or internal repositories. The attacker introduces code that looks legitimate (refactor, fix, optimisation) but contains a functional vulnerability or hidden functionality. The XZ Utils case in 2024 is the most studied example: a contributor introduced useful commits over years to build trust and, in a specific release, code enabling SSH authentication bypass for whoever had the right key.
Defence: rigorous code review, signed commits, restrictions on who can approve and merge in protected branches, static analysis on suspicious patterns (function table manipulation, dynamic string evaluation) and reviewer diversity. A commit approved by a single person in a critical project is a structural risk.
Notable public cases
SolarWinds Sunburst (2020). Attackers compromised SolarWinds' build system and inserted malicious code in a release of the Orion Platform. The legitimately signed update was distributed to thousands of organisations. Sunburst contacted a C2 domain and, on selected targets, downloaded additional payloads. Public investigation attributed the operation to APT29.
NotPetya (2017). Presented as ransomware, operated as a wiper. Initial vector: compromise of the M.E.Doc update, accounting software widely used in Ukraine. The economic damage estimated in public reports was one of the highest attributed to a single cyber incident up to that date.
XZ Utils (2024). A contributor with a probably fake identity introduced useful commits in XZ Utils over months. Versions 5.6.0 and 5.6.1 contained code which, loaded by sshd through liblzma, enabled authentication bypass for whoever held the correct private key. A Microsoft engineer detected the anomalous behaviour through a latency difference and reported the finding before the affected versions reached widely deployed stable distributions.
What they share: trust in the distribution channel (signed build, official repository, reputable maintainer) was the lever. None would have been prevented by antivirus, EDR or firewalls alone.
Mapping to MITRE ATT&CK
Backdoors appear across several MITRE ATT&CK techniques:
- T1505 Server Software Component. Sub-techniques like Web Shell (T1505.003), Transport Agent (T1505.002), IIS Components (T1505.004). Covers backdoors planted on legitimate servers by abusing their extension systems.
- T1542 Pre-OS Boot. Bootkit, firmware (BIOS, UEFI), bootloader and component firmware implants. LoJax, MoonBounce and similar fit here.
- T1556 Modify Authentication Process. Modification of the authentication process to accept magic credentials or skip checks: Domain Controller Authentication (T1556.001), Pluggable Authentication Modules (T1556.003), Network Provider DLLs (T1556.008).
Other associated techniques: T1078 Valid Accounts, T1136 Create Account, T1098 Account Manipulation, T1547 Boot or Logon Autostart Execution.
Detection with EDR, SIEM and threat hunting
Backdoor detection isn't solved by a single signature. What works is combining several layers:
Behavioural baselines. A properly configured EDR alerts on anomalous behaviours: svchost opening a connection to a non-reputed domain, lsass writing to disk, a Windows service created outside a change window, persistence registry key modifications.
Typical indicators:
- Local or domain accounts created outside the provisioning process.
- Modifications to
authorized_keys,sudoers,/etc/pam.d/. - Services listening on undocumented high ports.
- Scheduled tasks with unusual triggers (logon, idle, specific event).
- Outbound traffic to domains without reputation outside business hours.
- Signed processes with atypical command lines (
rundll32executing unusual exports, PowerShell with encoded commands). - Modification of signed binaries (hash differs from reference catalogue).
Useful SIEM queries for alerts or periodic threat hunting:
- Event
4720(account creation) and4732(privileged group addition) on domain controllers outside business hours. - Event
7045(service installation) withServiceFileNamepointing to temporary paths. - Child processes of
w3wp.exe,httpd,nginxexecutingcmd,powershell,sh,bash. - Modifications to
runkeysinHKLM\Software\Microsoft\Windows\CurrentVersion\Runand HKCU equivalents. - Outbound connections from system processes (
lsass,winlogon,services) to external IPs.
Network analytics. Beaconing patterns (constant interval), DNS tunnelling, legitimate protocols used for C2 (HTTPS over CDN, DoH to public resolvers). Zeek, Suricata and EDR with network telemetry give basic visibility; serious analysis requires an own baseline.
Prevention and hardening
Code signing and supply chain controls. Sign every internal binary and artefact, mandatory verification before execution, SLSA as a framework of build assurance levels, sigstore or equivalents for verifiable signatures. SBOM per deployed artefact and continuous monitoring against known vulnerabilities.
Hardware-backed MFA. Physical FIDO2 keys for privileged accounts, avoiding SMS or app-based MFA the attacker can intercept (phishing, SIM swap). Domain admin accounts: hardware key with no exceptions.
Secure Boot and attestation. Enable Secure Boot on every endpoint, configure Measured Boot and remote attestation with TPM 2.0 to detect firmware or bootloader changes. In sensitive environments, attestation against a central service on every boot.
Periodic threat hunting. Monthly or quarterly exercises looking for documented indicators, not just waiting for alerts. Review privileged accounts, persistence, authentication modifications, beaconing.
Network segmentation. Limit lateral movement. If a backdoor enters an endpoint, effective segmentation prevents reaching domain controllers, build systems or repositories without additional controls.
CI/CD pipeline hardening. Isolated pipelines, rotated secrets, reproducible builds, mandatory human review for critical infrastructure changes, runner integrity.
Difference from generic malware, rootkit and RAT
| Concept | Main function | Persistence | Typical detection |
|---|---|---|---|
| Generic malware | Any malicious code | Varies | Antivirus by signature, EDR by behaviour |
| Virus or worm | Automatic replication | Survives if it replicates | Signatures and propagation heuristics |
| Trojan | Trick user into executing payload | Depends on payload | EDR on execution and network |
| RAT | Interactive remote control | Yes, via service or task | EDR, network analytics on C2 |
| Rootkit | Hide presence by modifying OS | Yes, deep | Memory forensics, specific tools |
| Backdoor | Access bypassing authentication | Yes, persistent | Account auditing, hunting, network |
A single implant can be several of these at once. A RAT planted after exploitation leaves a backdoor; a rootkit typically contains a backdoor in its functionality. The distinction matters for describing the incident, not as exclusive categories.
Frequently asked questions
Is a backdoor always malware
No. It can be a forgotten admin account, an SSH key added with good intent and never rotated, an undocumented maintenance service. What defines a backdoor is its functional property (access bypassing controls), not its origin.
Can governments mandate backdoors
It depends on jurisdiction and on how lawful interception legislation is interpreted. The technical position of the cryptographic community is stable: a backdoor accessible to a legitimate authority is mathematically accessible to anyone who obtains the key by other means. No known design guarantees access only to a trusted actor while keeping the system secure against everyone else.
Can a firmware backdoor be detected
Yes, but it requires specific tools: CHIPSEC for Intel BIOS/UEFI, hash comparison against vendor values, platform attestation with TPM and Measured Boot. Standard antivirus doesn't cover this.
What do I do if I find a backdoor
Contain (network isolation, don't power off so memory is preserved), preserve evidence (memory, disk, logs), identify scope, eradicate every persistence mechanism (there are usually several), rotate credentials and secrets, run retesting to confirm complete eradication.
Is open source safe against backdoors
Not automatically. XZ Utils shows that a patient attacker can gain access to open source projects when the maintainer base is small. The advantage of open source is that auditing is possible; converting that possibility into effective security requires someone to audit with rigour, which only happens in critical projects with adequate funding.
Retesting after removing a backdoor
Essential. Partial eradication is one of the costliest mistakes in incident response. A competent attacker leaves several redundant mechanisms. Retesting must include active search for the same TTPs, review of privileged accounts, integrity validation of binaries and firmware and, if the incident was serious, reinforced monitoring for months.
Related resources
- Types of malware: classification and real examples
- What is MITRE ATT&CK: tactics and techniques
- What is threat hunting: methodology and examples
- What is EDR: endpoint detection and response
- Software supply chain attacks and DevSecOps
- What is a trojan: types and removal
- What is a CVE and how vulnerabilities are managed
Threat hunting and response with Secra
At Secra we run post-incident audits when a defensive team suspects that a compromise has left persistent backdoors and needs independent verification. Includes retrospective threat hunting over available telemetry (EDR, SIEM, network logs), review of privileged accounts and authentication mechanisms, active search for documented TTPs and eradication validation.
We also work on supply chain hardening: CI/CD pipelines, signing and integrity controls, build network segmentation, response plans for provider compromise.
If your organisation has suffered a recent incident or needs to validate that no residual access remains, contact us for an initial assessment.
About the author
Secra Solutions team
Ethical hackers with OSCP, OSEP, OSWE, CRTO, CRTL and CARTE certifications, 7+ years of experience in offensive cybersecurity, and authors of CVE-2025-40652 and CVE-2023-3512.