Malware in the Backups: How a Restoration Almost Brought the Attacker Back
How Stance MDR caught a reinfection attempt hidden in company backups, and what it cost to leave them unclean
Company Industry: Finance/Insurance
Attack Type: Malware persistence via compromised backups
Detection Time: <1 minute to acknowledgement; 5 minutes to action
Outcome: Prevented malware execution and reinfection; zero operational impact
Before the Restore
This company had already weathered a security incident and recovered. Their managed service provider (MSP) had coordinated recovery from backup, operations had resumed, and the incident was considered closed.
What was missing: no validation that backups themselves had been sanitized of malware from the original breach. The MSP’s recovery restored operations and IT continuity, but no one had checked whether the restore-from-backup process would inadvertently reintroduce the threat. Backup remediation and backup restoration are two different workflows, and they didn’t overlap.
What Happened
A routine backup job initiated a restoration to user workstations, standard IT procedure. What triggered immediately was an alert from At-Bay Stance MDR: a malicious document was being restored to the network as part of the backup recovery.
The document contained embedded macros designed to download and execute malware. It was part of the original breach and had never been removed from the company’s backup store. Without detection, the restoration would have reestablished attacker access on the network during what the company thought was routine recovery.
How At-Bay Responded
- Detection: Stance MDR’s behavioral analysis flagged the malicious document during the restore operation, before execution, based on file characteristics and embedded macro signatures indicative of known trojan vectors.
- Containment: At-Bay’s MDR team immediately halted the restoration process and copy commands, then temporarily quarantined the affected systems to prevent accidental execution or command-and-control callbacks.
- Investigation: Forensic analysis identified the root cause: a Microsoft Word document containing embedded macros that functioned as a downloader for malware. Investigation confirmed the malware persisted in both the restored instance and the source backup repository, meaning the threat could propagate again if left in place.
- Remediation: At-Bay executed targeted file removal to eliminate the malicious document from both the restored workstation and the source backup repository. This broke the persistence chain and prevented future reinfection attempts during subsequent backup operations.
- Monitoring: Continued Stance MDR coverage ensured no attacker attempts to re-establish presence or lateral movement post-remediation.
At-Bay didn’t just stop the immediate threat, we removed it from the source so it couldn’t come back the next time the company needed to restore from backup.
The Outcome
The malware was contained before execution. Zero impact to business operations. But the incident revealed a critical gap in standard incident response: backups had never been cleansed of malware from the original breach.
By removing the threat from backup systems, At-Bay eliminated a persistent reinfection vector that traditional IR workflows and IT operations had completely overlooked. The client discovered that their backup sanitization process had a blind spot, one that could have cost them in a second incident.
Stop Hidden Reinfection Threats with MDR
MSPs and backup solutions focus on IT continuity: restoring systems and getting operations back online. But continuous threat monitoring is a different discipline. Without detection and validation at the point of restore, malware dormant in backups can silently propagate back into production during routine recovery procedures.
At-Bay Stance Managed Detection & Response (MDR) catches threats that survive initial remediation, including malware hiding in backups. At-Bay’s MDR experts monitor endpoints, cloud, email, and identity around the clock, flagging reinfection attempts before they execute.
*Response timelines differ. Past results do not guarantee future outcomes. This content is provided for information purposes only and is not intended to define any Policy commitment. No warranty is given or liability accepted regarding this information.
At-Bay Stance MDR is provided by At-Bay Security, LLC (“At-Bay Security”), and available to eligible businesses with or without an insurance policy placed through At-Bay Insurance Services, LLC. At-Bay Security, LLC is a wholly owned subsidiary of At-Bay, Inc., providing cybersecurity services including MDR and incident response. At-Bay Security, LLC does not provide insurance services.