HackTool:Win64/MeshAgent!MTB

The HackTool:Win64/MeshAgent!MTB threat exemplifies a trend where threat actors weaponize legitimate software, in this case the MeshAgent remote administration tool, to create a stealthy backdoor. This weaponized tool provides threat actors with full remote control over compromised devices, allowing them to run commands, transfer files, and maintain persistent access, all while operating under the guise of a legitimate process. Its effectiveness stems from its design; once installed, the agent can connect to a MeshCentral server without requiring further user interaction, and operations are performed under the powerful NT AUTHORITY\SYSTEM account, making its activities blend with normal system tasks. The use of a common remote management tool also complicates detection, as each generated MeshAgent binary is unique, rendering simple hash-based detection methods less effective. 

This malware is deployed as a secondary payload following an initial system breach. In one documented campaign, threat actors first gained administrative access by exploiting critical authentication bypass vulnerability, CVE-2025-31161, in CrushFTP software. After establishing this foothold, they installed the MeshAgent software to secure persistent remote access to the server. To further evade detection, the threat actors employed a technique known as "masquerading," renaming the malicious binary to nvspbind.exe to mimic a legitimate Windows network service binding binary and placing it within the deceptive directory path C:\Program Files\Windows NT\nvspbind\. 

Once installed, the backdoor establishes multiple mechanisms to ensure it survives Windows reboots and remains under the threat actor’s control. It creates a Windows service by adding a registry key at HKLM\System\CurrentControlSet\Services\Mesh Agent to store its configuration and ensure automatic startup. For additional resilience, it also creates a registry key at HKLM\System\CurrentControlSet\Control\SafeBoot\Network\MeshAgent, ensuring it can access network resources even if the system is booted into Safe Mode. Furthermore, the MeshAgent modifies Windows Firewall rules by adding an entry under HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRulesto explicitly allow incoming and outgoing WebRTC traffic, thus facilitating uninterrupted communication with its command-and-control (C2) server. The backdoor's network communication is designed for stealth. It is configured to connect to a C2 server operated by the attackers, with one identified server located at the IP address 193[.]46.255[.]73. The connection to this server is established over the WebSocket Secure (WSS) protocol on the standard port 443. By using this port, which is also used for normal, benign HTTPS web traffic, and employing encryption, the malicious communication channel is effectively hidden from plain sight, making it significantly more difficult for network security tools to detect and block the exfiltration of data or the reception of commands from the threat actor’s infrastructure.