Komari Red: The Monitoring Tool with a Built-in Reverse Shell
On April 16, 2026, a threat actor leveraged stolen VPN credentials to access a Windows workstation and deployed a SYSTEM-level backdoor using the Komari agent, an open-source monitoring tool with built-in command-and-control capabilities. The attacker authenticated through an SSLVPN session from IP 45.153.34[.]132 and used Impacket smbexec.py to enable RDP on the target system. The Komari agent was installed as a persistent Windows service named 'Windows Update Service' using NSSM, pulling the installer directly from the official GitHub repository. Komari provides bidirectional control through WebSocket connections, offering arbitrary command execution, interactive reverse shell access, and network probing capabilities by default. Microsoft Defender quarantined an earlier registry dump attempt, forcing the adversary to pivot to this GitHub-based approach. This represents the first publicly documented case of Komari being abused in a real-world intrusion.
AI Analysis
Technical Summary
This threat involves the abuse of the Komari agent, an open-source monitoring tool with embedded command-and-control capabilities, by a threat actor who gained access to a Windows system through stolen VPN credentials. The attacker authenticated via an SSLVPN session from IP 45.153.34.132, used Impacket's smbexec.py to enable RDP, and installed Komari as a persistent Windows service using NSSM. Komari's functionality includes WebSocket-based bidirectional control, arbitrary command execution, reverse shell access, and network reconnaissance. The attacker leveraged GitHub infrastructure to pull the Komari installer after Microsoft Defender quarantined an earlier registry dump attempt. This case represents the first known real-world compromise involving Komari.
Potential Impact
The threat actor achieved SYSTEM-level persistence on a Windows workstation, enabling full remote control including arbitrary command execution and interactive reverse shell access. The use of stolen VPN credentials and enabling of RDP increased the attack surface and potential for lateral movement. The deployment of Komari as a persistent service allows long-term covert access and network probing. No known exploits or vulnerabilities in Komari itself are reported; the compromise resulted from credential theft and abuse of legitimate tools. The incident demonstrates the risk of open-source monitoring tools being repurposed for malicious command-and-control operations.
Mitigation Recommendations
No official patch or fix is applicable as this is an abuse of legitimate tools combined with credential compromise. Organizations should focus on securing VPN credentials, enforcing multi-factor authentication, monitoring for unusual VPN and RDP activity, and detecting unauthorized service installations such as those using NSSM. Endpoint protection solutions like Microsoft Defender can help detect and quarantine malicious activity, as demonstrated in this case. Review and restrict use of open-source tools like Komari in environments where they are not explicitly authorized. Patch status is not applicable; check vendor advisories for updates on detection capabilities.
Indicators of Compromise
- hash: 039e659ade3aa8ee7758c11fdb8fbfffd2491920046d638413cea2042f6d584c
- ip: 45.153.34.132
Komari Red: The Monitoring Tool with a Built-in Reverse Shell
Description
On April 16, 2026, a threat actor leveraged stolen VPN credentials to access a Windows workstation and deployed a SYSTEM-level backdoor using the Komari agent, an open-source monitoring tool with built-in command-and-control capabilities. The attacker authenticated through an SSLVPN session from IP 45.153.34[.]132 and used Impacket smbexec.py to enable RDP on the target system. The Komari agent was installed as a persistent Windows service named 'Windows Update Service' using NSSM, pulling the installer directly from the official GitHub repository. Komari provides bidirectional control through WebSocket connections, offering arbitrary command execution, interactive reverse shell access, and network probing capabilities by default. Microsoft Defender quarantined an earlier registry dump attempt, forcing the adversary to pivot to this GitHub-based approach. This represents the first publicly documented case of Komari being abused in a real-world intrusion.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves the abuse of the Komari agent, an open-source monitoring tool with embedded command-and-control capabilities, by a threat actor who gained access to a Windows system through stolen VPN credentials. The attacker authenticated via an SSLVPN session from IP 45.153.34.132, used Impacket's smbexec.py to enable RDP, and installed Komari as a persistent Windows service using NSSM. Komari's functionality includes WebSocket-based bidirectional control, arbitrary command execution, reverse shell access, and network reconnaissance. The attacker leveraged GitHub infrastructure to pull the Komari installer after Microsoft Defender quarantined an earlier registry dump attempt. This case represents the first known real-world compromise involving Komari.
Potential Impact
The threat actor achieved SYSTEM-level persistence on a Windows workstation, enabling full remote control including arbitrary command execution and interactive reverse shell access. The use of stolen VPN credentials and enabling of RDP increased the attack surface and potential for lateral movement. The deployment of Komari as a persistent service allows long-term covert access and network probing. No known exploits or vulnerabilities in Komari itself are reported; the compromise resulted from credential theft and abuse of legitimate tools. The incident demonstrates the risk of open-source monitoring tools being repurposed for malicious command-and-control operations.
Mitigation Recommendations
No official patch or fix is applicable as this is an abuse of legitimate tools combined with credential compromise. Organizations should focus on securing VPN credentials, enforcing multi-factor authentication, monitoring for unusual VPN and RDP activity, and detecting unauthorized service installations such as those using NSSM. Endpoint protection solutions like Microsoft Defender can help detect and quarantine malicious activity, as demonstrated in this case. Review and restrict use of open-source tools like Komari in environments where they are not explicitly authorized. Patch status is not applicable; check vendor advisories for updates on detection capabilities.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.huntress.com/blog/komari-c2-agent-abuse"]
- Adversary
- null
- Pulse Id
- 69f29e7612b827a15dfc7787
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash039e659ade3aa8ee7758c11fdb8fbfffd2491920046d638413cea2042f6d584c | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip45.153.34.132 | — |
Threat ID: 69f30676cbff5d86109ec9e7
Added to database: 4/30/2026, 7:36:22 AM
Last enriched: 4/30/2026, 7:51:25 AM
Last updated: 6/14/2026, 9:59:05 PM
Views: 523
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.