BestHub
Sign in
Information Security 4 min read

Xshell Backdoor Discovered in Build 1326 – Critical Security Alert

A critical backdoor was discovered in NetSarang’s Xshell 5 Build 1326, where the nssock2.dll module contains malicious code that contacts a remote domain, affecting multiple NetSarang products; the article details the vulnerability, affected versions, behavior, and provides safe download links.

MaGe Linux Operations
MaGe Linux Operations
MaGe Linux Operations
Xshell Backdoor Discovered in Build 1326 – Critical Security Alert

Introduction

Xshell is a powerful, widely used terminal emulator for server operations and management, supporting SSH, SFTP, TELNET, RLOGIN and SERIAL. It offers industry‑leading performance and features such as tabbed sessions, dynamic port forwarding, custom key mapping, user‑defined buttons, VB scripts, Unicode support, Zmodem drag‑and‑drop, simple mode, full‑screen, transparency and custom layouts.

Vulnerability Details

Security researchers discovered that the official source code of the nssock2.dll module in recent Xshell (and other NetSarang products) contains a malicious backdoor.

The upgrade notice for version 5.0.1326 mentions a fix for nssock2.dll, hinting at a remote vulnerability.

Behavior Characteristics

Infected versions periodically request the domain nylalobghyhirgh.com, generating over 8 million accesses per day.

Data transmission appears to be exfiltrated via DNS tunneling.

Unaffected Versions

The following NetSarang products are reported as clean:

Xmanager Enterprise Build 1236

Xmanager Build 1049

Xshell Build 1326

Xftp Build 1222

Xlpd Build 1224

Official download links:

https://download.netsarang.com

https://download.netsarang.co.kr

Sources: 安全客, 绿盟 (360 Network Security Research Institute)
Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

information securityVulnerabilitynetwork securityRemote Code Executionbackdoor
MaGe Linux Operations
Written by

MaGe Linux Operations

Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment