Skip to content
July 10, 2026
  • Linkedin
  • Twitter
  • Facebook
  • Youtube

Daily CyberSecurity

Zero-hour alerts. Unmatched analysis.

Primary Menu
  • Home
  • CVE Watchtower
  • Cyber Criminals
  • Data Leak
  • Linux
  • Malware
  • Vulnerability
  • Submit Press Release
  • Vulnerability Report
Light/Dark Button
  • Home
  • Technique
  • SysJoker Backdoor
  • Technique

SysJoker Backdoor

Do Son February 16, 2022 4 minutes read
malware pic

Malicious actors have been creating software for nefarious purposes since the early days of computers. Although the actual idea of machines (code) being created to damage other machines (computer systems) autonomously could be traced as far back as the early 1940s. Throughout the last 5 decades, these kinds of malicious software have been placed into various categories. They have been called: Viruses, Creepers, Trojans where the most recent in our history can be classified into Ransomware, Spyware, Adware, or Backdoors. Ultimately, all these examples belong to one family of software called Malware (Malicious Software).

One of the most recent examples of Backdoor malware detected in the wild is called SysJoker, which was discovered in December 2021 by the cybersecurity firm Intezer. Being backdoor malware, SysJoker allows malicious actors to gain access to an infected system through a network backdoor that has been conveniently established by the malware. 

Although it was originally believed that SysJoker was only able to target systems running a Linux-based operating system and configuration, it was soon discovered that this malware had other variants. These variants that were discovered were also able to infect systems and PCs running Microsoft Windows infrastructures as well as Macintosh platforms. This means that while most malware is engineered to target specific systems, SysJoker has variants of itself for the majority of operating systems in use today.

How dangerous is having your system infected by this malware?

Because backdoors open direct access to your pc and network system to malicious actors, these actors could then monitor any network traffic to and from your devices and potentially execute scripts and install any applications they would like to. This could inherently be utilized for detailed industrial espionage or even more nefarious ends like ransomware and denial of service attacks bringing an organization to its knees.

It, therefore, doesn’t matter whether this malware infects your personal computer or that of your organization, this malware will always have a toxic outcome. The scary part is that unless your threat detection regime includes an up-to-date adaptive signature analysis engine you might not even be aware that your device is infected.

How does this piece of malicious software work?

Traditional anti-malware tools compare incoming applications to existing libraries containing existing malware signatures. These signatures are the code patterns that make up various kinds of malware. Your antivirus software will then compare the new software and files to the signatures in the database, flagging potential malicious software based on these signatures. The problem that arose with SysJoker however was that it was uniquely developed to specifically avoid utilizing any existing malware code sets that exist. Because of this anti-malware software was not able to identify the backdoor application as being malicious for many months. 

In Windows environments, SysJoker was observed to behave randomly before its initial process of establishment. It starts by creating folder infrastructure for itself and then installing itself by masquerading as a device driver. After another random period, it would create windows registry keys to establish itself as an application that the operating system trusts.

SysJoker then collects data from the device and the network it is connected to and transmits this information to the malicious third party in an encrypted format. What is interesting about SysJoker though is that its source code revealed that it can be remotely instructed to perform various tasks, even uninstalling itself remotely from the host. This can also be typical of zero-click malware.

How can organizations guard against it?

Since SysJoker is a very new kind of malware and none of the existing anti-malware solutions will be able to flag it as malicious yet. Organizations need to be proactive and start by actively running memory scanners to identify the various payloads going through the system memory of their various systems. Alternatively, for Windows environments up to date endpoint scanners will be able to provide system engineers with enough information to establish the origin of incoming traffic and binary code. The endpoint scanner operates in memory and looks for code that might be out of the ordinary.

Since this risk does not broadcast its malicious intent from the moment your system first comes into contact with it, the risk might be underestimated by system administrators and engineers. The truth of the matter is that this backdoor can most definitely be utilized to deliver payloads that are much more violent and malevolent. Keeping your organization’s security compliance in check should always remain a well-established priority across all systems and environments. 

Share this article:

Facebook Post LinkedIn Telegram

Search

Translation

CVE WATCHTOWER
🚨

Receive alerts for vulnerabilities being exploited in the wild.

⚡

Get notified instantly when a Proof of Concept (PoC) exploit is published.

🔍

Access critical info on vulnerabilities even when marked as "RESERVED".

🧠

Insights powered by decades of expertise and global intelligence sources.

🎯

Customize alerts with up to 10 keywords for your specific tech stack.

📊

Export the raw CVE database for SIEM integration and reporting.

Upgrade Package

🚨 Active Exploits in the Wild

  • CVE-2026-1207CVSS 5.4
    An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on...
    Admin intel📅 Updated: Jul 10, 2026
  • CVE-2026-48939
    A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment...
    CISA KEV📅 Added to KEV: Jul 10, 2026
  • CVE-2026-56291
    The Joomla extension Balbooa Forms is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files...
    CISA KEV📅 Added to KEV: Jul 10, 2026
  • CVE-2026-55255CVSS 8.4
    Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.1, an Insecure Direct...
    CISA KEV📅 Added to KEV: Jul 7, 2026
  • CVE-2026-48908
    A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in...
    CISA KEV📅 Added to KEV: Jul 7, 2026
  • CVE-2026-56290
    The Joomla extension Page Builder CK is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable...
    CISA KEV📅 Added to KEV: Jul 7, 2026
  • CVE-2026-20896CVSS 9.8
    Gitea Docker image: `REVERSE_PROXY_TRUSTED_PROXIES = *` default lets any source IP impersonate any user via `X-WEBAUTH-USER`
    Admin intel📅 Updated: Jul 6, 2026
  • CVE-2026-48282CVSS 10.0
    ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted...
    Admin intelCISA KEV📅 Added to KEV: Jul 7, 2026📅 Updated: Jul 3, 2026
Powered by CVE Watchtower

🔴 Live Critical Threats

  • CVE-2026-61459CVSS 9.8
    MCP Server Kubernetes before 3.9.0 contains an argument injection vulnerability in structured...
  • CVE-2026-2397CVSS 9.8
    Improper neutralization of special elements used in an SQL command ('SQL injection')...
  • CVE-2026-5801CVSS 9.8
    Improper neutralization of special elements used in an SQL command ('SQL injection')...
  • CVE-2026-59151CVSS 9.6
    Prowler is a cloud security platform. Prior to 5.30.3, Prowler's SAML authentication...
  • CVE-2026-55500CVSS 9.9
    9Router is an AI router & token saver. Prior to 0.4.80, the...
  • CVE-2026-15143CVSS 9.3
    A flaw was found in the file_type content detector of guardrails-detectors. This...
  • CVE-2026-59792CVSS 9.6
    In JetBrains IntelliJ IDEA before 2026.1.4, 2026.2 code execution via path traversal...
  • CVE-2026-61444CVSS 9.1
    PraisonAI versions before 4.6.78 contain a code injection vulnerability in deploy/api.py where...
  • CVE-2026-56765CVSS 9.8
    Vikunja before 2.2.1 contains an authorization flaw where the LinkSharing.ReadAll endpoint exposes...
  • CVE-2026-56688CVSS 9.1
    Dell PowerFlex Manager, Version prior to 5.1.0.1, contain(s) an Improper Neutralization of...
Powered by CVE WATCHTOWER

Our Websites
  • Penetration Testing Tools
  • The Daily Information Technology
  • Daily CyberSecurity

    • About SecurityOnline.info
    • Advertise with us
    • Announcement
    • Contact
    • Contributor Register
    • Login
    • About SecurityOnline.info
    • Advertise on SecurityOnline.info
    • Contact Us

    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works

    • Disclaimer
    • Privacy Policy
    • DMCA NOTICE
    • Linkedin
    • Twitter
    • Facebook
    • Youtube
    © 2017 - 2026 Daily CyberSecurity. All Rights Reserved.