Komari Red: The Monitoring Tool with a Built-in Reverse Shell
On April 16, 2026, a threat actor used stolen VPN credentials to access a Windows workstation and installed a SYSTEM-level backdoor via the Komari agent, an open-source monitoring tool with built-in command-and-control features. The attacker enabled RDP using Impacket's smbexec. py and deployed Komari as a persistent Windows service named 'Windows Update Service' using NSSM. Komari facilitates bidirectional control through WebSocket connections, allowing arbitrary command execution, interactive reverse shell access, and network probing. Microsoft Defender blocked an earlier registry dump attempt, prompting the attacker to switch to installing Komari from its official GitHub repository. This incident is the first publicly documented real-world abuse of Komari for intrusion purposes.
AI Analysis
Technical Summary
This threat involves the abuse of the Komari agent, an open-source monitoring tool with embedded command-and-control capabilities, by a threat actor who gained access to a Windows system through stolen VPN credentials. The attacker authenticated via an SSLVPN session from IP 45.153.34.132, used Impacket's smbexec.py to enable RDP, and installed Komari as a persistent Windows service using NSSM. Komari's functionality includes WebSocket-based bidirectional control, arbitrary command execution, reverse shell access, and network reconnaissance. The attacker leveraged GitHub infrastructure to pull the Komari installer after Microsoft Defender quarantined an earlier registry dump attempt. This case represents the first known real-world compromise involving Komari.
Potential Impact
The threat actor achieved SYSTEM-level persistence on a Windows workstation, enabling full remote control including arbitrary command execution and interactive reverse shell access. The use of stolen VPN credentials and enabling of RDP increased the attack surface and potential for lateral movement. The deployment of Komari as a persistent service allows long-term covert access and network probing. No known exploits or vulnerabilities in Komari itself are reported; the compromise resulted from credential theft and abuse of legitimate tools. The incident demonstrates the risk of open-source monitoring tools being repurposed for malicious command-and-control operations.
Mitigation Recommendations
No official patch or fix is applicable as this is an abuse of legitimate tools combined with credential compromise. Organizations should focus on securing VPN credentials, enforcing multi-factor authentication, monitoring for unusual VPN and RDP activity, and detecting unauthorized service installations such as those using NSSM. Endpoint protection solutions like Microsoft Defender can help detect and quarantine malicious activity, as demonstrated in this case. Review and restrict use of open-source tools like Komari in environments where they are not explicitly authorized. Patch status is not applicable; check vendor advisories for updates on detection capabilities.
Indicators of Compromise
- hash: 039e659ade3aa8ee7758c11fdb8fbfffd2491920046d638413cea2042f6d584c
- ip: 45.153.34.132
Komari Red: The Monitoring Tool with a Built-in Reverse Shell
Description
On April 16, 2026, a threat actor used stolen VPN credentials to access a Windows workstation and installed a SYSTEM-level backdoor via the Komari agent, an open-source monitoring tool with built-in command-and-control features. The attacker enabled RDP using Impacket's smbexec. py and deployed Komari as a persistent Windows service named 'Windows Update Service' using NSSM. Komari facilitates bidirectional control through WebSocket connections, allowing arbitrary command execution, interactive reverse shell access, and network probing. Microsoft Defender blocked an earlier registry dump attempt, prompting the attacker to switch to installing Komari from its official GitHub repository. This incident is the first publicly documented real-world abuse of Komari for intrusion purposes.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves the abuse of the Komari agent, an open-source monitoring tool with embedded command-and-control capabilities, by a threat actor who gained access to a Windows system through stolen VPN credentials. The attacker authenticated via an SSLVPN session from IP 45.153.34.132, used Impacket's smbexec.py to enable RDP, and installed Komari as a persistent Windows service using NSSM. Komari's functionality includes WebSocket-based bidirectional control, arbitrary command execution, reverse shell access, and network reconnaissance. The attacker leveraged GitHub infrastructure to pull the Komari installer after Microsoft Defender quarantined an earlier registry dump attempt. This case represents the first known real-world compromise involving Komari.
Potential Impact
The threat actor achieved SYSTEM-level persistence on a Windows workstation, enabling full remote control including arbitrary command execution and interactive reverse shell access. The use of stolen VPN credentials and enabling of RDP increased the attack surface and potential for lateral movement. The deployment of Komari as a persistent service allows long-term covert access and network probing. No known exploits or vulnerabilities in Komari itself are reported; the compromise resulted from credential theft and abuse of legitimate tools. The incident demonstrates the risk of open-source monitoring tools being repurposed for malicious command-and-control operations.
Mitigation Recommendations
No official patch or fix is applicable as this is an abuse of legitimate tools combined with credential compromise. Organizations should focus on securing VPN credentials, enforcing multi-factor authentication, monitoring for unusual VPN and RDP activity, and detecting unauthorized service installations such as those using NSSM. Endpoint protection solutions like Microsoft Defender can help detect and quarantine malicious activity, as demonstrated in this case. Review and restrict use of open-source tools like Komari in environments where they are not explicitly authorized. Patch status is not applicable; check vendor advisories for updates on detection capabilities.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.huntress.com/blog/komari-c2-agent-abuse"]
- Adversary
- null
- Pulse Id
- 69f29e7612b827a15dfc7787
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash039e659ade3aa8ee7758c11fdb8fbfffd2491920046d638413cea2042f6d584c | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip45.153.34.132 | — |
Threat ID: 69f30676cbff5d86109ec9e7
Added to database: 4/30/2026, 7:36:22 AM
Last enriched: 4/30/2026, 7:51:25 AM
Last updated: 4/30/2026, 7:15:50 PM
Views: 11
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.