New malware named HTTPSnoop and PipeSnoop are used in cyberattacks on telecommunication service providers in the Middle East, allowing threat actors to remotely execute commands on infected devices.

The HTTPSnoop malware interfaces with Windows HTTP kernel drivers and devices to execute content on the infected endpoint based on specific HTTP(S) URLs, and the PipeSnoop accepts and executes arbitrary shellcode from a named pipe.

According to a report by Cisco Talos, the two implants belong to the same intrusion set named 'ShroudedSnooper' but serve different operational goals in terms of the level of infiltration.

Both implants are masqueraded as security components of the Palo Alto Networks Cortex XDR product to evade detection.