Smoke and mirrors A strange signed backdoor
Sophos X-Ops discovered a curious backdoored and signed executable masquerading as something else. The file was bundled with LaiXi Android Screen Mirroring software. Technical analysis revealed it installs a service called CatalogWatcher and embeds a tiny proxy server likely to monitor and intercept traffic. Variants were found dating back to early 2023 some signed with valid Microsoft certificates. Sophos and Microsoft worked together to revoke the certificates used.