Tag: backdoor

Zero-day exploits hit enterprises faster and harder

Mar 6, 2026 9:48 AM

Tags: access, apple, attack, backdoor, business, china, cisco, cve, data, detection, endpoint, espionage, exploit, firewall, flaw, fortinet, google, group, hacker, infrastructure, ivanti, least-privilege, mobile, network, oracle, radius, ransomware, risk, router, russia, service, software, technology, threat, update, vpn, vulnerability, zero-day

Enterprise environments under siege: Chinese threat actors continued to display a preference for targets that are difficult to monitor and allow persistent access to strategic networks. Notable examples include the groups that GTIG tracks as UNC5221, which exploited a flaw in Ivanti Connect Secure (CVE-2025-0282) and UNC3886, which exploited a vulnerability in Juniper routers (CVE-2025-21590).Another…
APT28-Linked Campaign Deploys BadPaw Loader and MeowMeow Backdoor in Ukraine

Mar 5, 2026 12:47 PM

Tags: attack, backdoor, cyber, cybersecurity, email, malware, phishing, russia, ukraine

Cybersecurity researchers have disclosed details of a new Russian cyber campaign that has targeted Ukrainian entities with two previously undocumented malware families named BadPaw and MeowMeow.”The attack chain initiates with a phishing email containing a link to a ZIP archive. Once extracted, an initial HTA file displays a lure document written in Ukrainian concerning border…
Analyse von Knowbe4 – Angreifer missbrauchen RMM-Tools als Backdoor

Mar 3, 2026 4:46 PM

Tags: backdoor, tool

First seen on security-insider.de Jump to article: www.security-insider.de/knowbe4-entdeckt-gefaehrliche-phishing-angriffskampagne-a-03dba37a8f860661e1ad565dff24d2c6/
SloppyLemming Espionage Campaign Targets Pakistan, Bangladesh with BurrowShell Backdoor and Rust RAT

Mar 3, 2026 3:47 PM

Tags: access, backdoor, cyber, data-breach, espionage, group, india, rat, rust, tool

SloppyLemming, an India-linked espionage group also known as Outrider Tiger and Fishing Elephant, has run a year-long cyber campaign against high”‘value targets in Pakistan and Bangladesh using a new BurrowShell backdoor and a Rust-based remote access tool (RAT). This activity builds directly on earlier operations exposed by Cloudflare’s CloudForce One in 2024. However, it shows…
Dust Specter APT Targets Government Officials in Iraq

Mar 2, 2026 5:47 PM

Tags: access, ai, api, apt, attack, backdoor, browser, chrome, cisco, cloud, control, data, detection, encryption, google, government, group, infrastructure, iran, iraq, malicious, malware, monitoring, network, open-source, password, powershell, rat, service, social-engineering, software, threat, tool, update, windows

IntroductionIn January 2026, Zscaler ThreatLabz observed activity by a suspected Iran-nexus threat actor targeting government officials in Iraq. ThreatLabz discovered previously undocumented malware including SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM. Due to significant overlap in tools, techniques, and procedures (TTPs), as well as victimology, between this campaign and activity associated with Iran-nexus APT groups, ThreatLabz assesses with medium-to-high confidence that an…
APT37 combines cloud storage and USB implants to infiltrate air-gapped systems

Mar 2, 2026 3:47 PM

Tags: apt, backdoor, breach, cloud, group, korea, malware, network, north-korea, tool

North Korea-linked APT 37 used Zoho WorkDrive and USB malware to breach air-gapped networks in the Ruby Jumper campaign. North Korean group ScarCruft (aka APT37, Reaper, and Group123) deployed new tools in a campaign dubbed Ruby Jumper, using a backdoor that leverages Zoho WorkDrive for C2 and a USB-based implant to breach air-gapped systems. Zscaler ThreatLabz…
Malicious Go Crypto Module Steals Passwords, Deploys Rekoobe Backdoor

Feb 27, 2026 6:37 PM

Tags: access, backdoor, crypto, cybersecurity, linux, malicious, password

Cybersecurity researchers have disclosed details of a malicious Go module that’s designed to harvest passwords, create persistent access via SSH, and deliver a Linux backdoor named Rekoobe.The Go module, github[.]com/xinfeisoft/crypto, impersonates the legitimate “golang.org/x/crypto” codebase, but injects malicious code that’s responsible for exfiltrating secrets entered via terminal password First seen on thehackernews.com Jump to article:…
Analyse von Sysdig – So werden Self-hosted GitHub Actions Runner als Backdoors missbraucht

Feb 27, 2026 4:37 PM

Tags: backdoor, github

First seen on security-insider.de Jump to article: www.security-insider.de/analyse-shai-hulud-malware-github-actions-runner-a-795c09f6fb3c8ab1ecee8133fd6f95ce/
ScarCruft Uses Zoho WorkDrive and USB Malware to Breach Air-Gapped Networks

Feb 27, 2026 2:37 PM

Tags: backdoor, breach, communications, control, malware, network, north-korea, threat, tool

The North Korean threat actor known as ScarCruft has been attributed to a fresh set of tools, including a backdoor that uses Zoho WorkDrive for command-and-control (C2) communications to fetch more payloads and an implant that uses removable media to relay commands and breach air-gapped networks.The campaign, codenamed Ruby Jumper by Zscaler ThreatLabz, involves the…
Dohdoor Malware Targets U.S. Schools and Healthcare with Multi-Stage Attack

Feb 27, 2026 1:37 PM

Tags: attack, backdoor, cisco, cyber, data, healthcare, malware

A new backdoor dubbed Dohdoor is actively targeting schools and health care organizations in the United States through a stealthy multi-stage attack chain. UAT-10027 focuses on education and health care entities in the U.S., sectors that handle highly sensitive personal and medical data but often have limited security budgets and legacy systems. Cisco Talos assesses with low…
Malicious Go Crypto Module Steals Passwords, Deploys Rekoobe Backdoor in Developer Environments

Feb 27, 2026 10:36 AM

Tags: backdoor, crypto, cryptography, cyber, linux, malicious, open-source, password

Malicious actors are abusing Go’s open-source ecosystem by deploying a backdoored crypto module that steals passwords and installs a Rekoobe Linux backdoor on developer and CI environments. The package imitates Go’s trusted cryptography library to turn ordinary password prompts into a full compromise chain quietly. On pkg.go.dev it appears as a normal cryptography library with…
UAT-10027 campaign hits U.S. education and healthcare with stealthy Dohdoor backdoor

Feb 26, 2026 9:36 PM

Tags: access, backdoor, cisco, healthcare, phishing, powershell, threat

UAT-10027 campaign is targeting U.S. education and healthcare sectors to deploy a new Dohdoor backdoor. Cisco Talos has identified a new threat cluster, tracked as UAT-10027, targeting U.S. education and healthcare organizations since at least December 2025 to deploy a previously unseen backdoor named Dohdoor. Initial access likely occurs through phishing, triggering a PowerShell script…
Suspected Chinese Cyberespionage Operation Hits 53 Telecoms

Feb 26, 2026 7:37 PM

Tags: backdoor, china, control, cyberespionage, google, group, hacker, hacking, infrastructure

Google Unmasks, Disrupts Group Using Sheets for Command-and-Control Purposes. Likely Chinese nation-state hackers used online spreadsheets as infrastructure for hacking campaigns that affected at least 53 telecom operators across 42 countries, Google disclosed Wednesday. Incident responders discovered a backdoor being remotely controlled through Google Sheets. First seen on govinfosecurity.com Jump to article: www.govinfosecurity.com/suspected-chinese-cyberespionage-operation-hits-53-telecoms-a-30857
UAT-10027 Targets U.S. Education and Healthcare with Dohdoor Backdoor

Feb 26, 2026 5:37 PM

Tags: attack, backdoor, cisco, dns, healthcare, malicious, threat

A previously undocumented threat activity cluster has been attributed to an ongoing malicious campaign targeting education and healthcare sectors in the U.S. since at least December 2025.The campaign is being tracked by Cisco Talos under the moniker UAT-10027. The end goal of the attacks is to deliver a never-before-seen backdoor codenamed Dohdoor.”Dohdoor utilizes the DNS-over-HTTPS…
UAT-10027 Targets U.S. Education and Healthcare with Dohdoor Backdoor

Feb 26, 2026 5:37 PM

Tags: attack, backdoor, cisco, dns, healthcare, malicious, threat

A previously undocumented threat activity cluster has been attributed to an ongoing malicious campaign targeting education and healthcare sectors in the U.S. since at least December 2025.The campaign is being tracked by Cisco Talos under the moniker UAT-10027. The end goal of the attacks is to deliver a never-before-seen backdoor codenamed Dohdoor.”Dohdoor utilizes the DNS-over-HTTPS…
APT37 Adds New Capabilities for Air-Gapped Networks

Feb 26, 2026 5:37 PM

Tags: access, android, api, attack, authentication, backdoor, cloud, communications, computer, credentials, data, detection, endpoint, google, government, group, Hardware, infection, infrastructure, injection, Internet, malicious, malware, microsoft, monitoring, network, north-korea, powershell, service, social-engineering, threat, tool, update, windows

IntroductionIn December 2025, Zscaler ThreatLabz discovered a campaign linked to APT37 (also known as ScarCruft, Ruby Sleet, and Velvet Chollima), which is a DPRK-backed threat group. In this campaign, tracked as Ruby Jumper by ThreatLabz, APT37 uses Windows shortcut (LNK) files to initiate an attack that utilizes a set of newly discovered tools. These tools, RESTLEAF, SNAKEDROPPER, THUMBSBD, and VIRUSTASK,…
APT37 Adds New Capabilities for Air-Gapped Networks

Feb 26, 2026 5:37 PM

Tags: access, android, api, attack, authentication, backdoor, cloud, communications, computer, credentials, data, detection, endpoint, google, government, group, Hardware, infection, infrastructure, injection, Internet, malicious, malware, microsoft, monitoring, network, north-korea, powershell, service, social-engineering, threat, tool, update, windows

IntroductionIn December 2025, Zscaler ThreatLabz discovered a campaign linked to APT37 (also known as ScarCruft, Ruby Sleet, and Velvet Chollima), which is a DPRK-backed threat group. In this campaign, tracked as Ruby Jumper by ThreatLabz, APT37 uses Windows shortcut (LNK) files to initiate an attack that utilizes a set of newly discovered tools. These tools, RESTLEAF, SNAKEDROPPER, THUMBSBD, and VIRUSTASK,…
UAT-10027 Targets U.S. Education and Healthcare with Dohdoor Backdoor

Feb 26, 2026 5:37 PM

Tags: attack, backdoor, cisco, dns, healthcare, malicious, threat

A previously undocumented threat activity cluster has been attributed to an ongoing malicious campaign targeting education and healthcare sectors in the U.S. since at least December 2025.The campaign is being tracked by Cisco Talos under the moniker UAT-10027. The end goal of the attacks is to deliver a never-before-seen backdoor codenamed Dohdoor.”Dohdoor utilizes the DNS-over-HTTPS…
UAT-10027 Targets U.S. Education and Healthcare with Dohdoor Backdoor

Feb 26, 2026 5:37 PM

Tags: attack, backdoor, cisco, dns, healthcare, malicious, threat

A previously undocumented threat activity cluster has been attributed to an ongoing malicious campaign targeting education and healthcare sectors in the U.S. since at least December 2025.The campaign is being tracked by Cisco Talos under the moniker UAT-10027. The end goal of the attacks is to deliver a never-before-seen backdoor codenamed Dohdoor.”Dohdoor utilizes the DNS-over-HTTPS…
Google Disrupts ‘Prolific’ and ‘Elusive’ China-Linked Global Hacking Campaign

Feb 26, 2026 2:40 PM

Tags: backdoor, china, cyber, espionage, google, hacking

UNC2814 hit 53 victims in 42 countries with novel backdoor in decade long cyber espionage operation First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/google-prolific-china-hacking/
New Dohdoor malware campaign targets education and health care

Feb 26, 2026 12:36 PM

Tags: backdoor, cisco, malicious, malware, threat

Cisco Talos discovered an ongoing malicious campaign since at least as early as December 2025 by a threat actor we track as “UAT-10027,” delivering a previously undisclosed backdoor dubbed “Dohdoor.” First seen on blog.talosintelligence.com Jump to article: blog.talosintelligence.com/new-dohdoor-malware-campaign/
Fake Next.js job interview tests backdoor developer’s devices

Feb 25, 2026 11:37 PM

Tags: backdoor, jobs, malicious, microsoft, software

The Microsoft Defender team has discovered a coordinated campaign targeting software developers through malicious repositories posing as legitimate Next.js projects and technical assessment materials, including recruiting coding tests. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/fake-nextjs-job-interview-tests-backdoor-developers-devices/
Malicious NuGet Packages Stole ASP.NET Data; npm Package Dropped Malware

Feb 25, 2026 3:37 PM

Tags: backdoor, cybersecurity, data, identity, malicious, malware

Cybersecurity researchers have discovered four malicious NuGet packages that are designed to target ASP.NET web application developers to steal sensitive data.The campaign, discovered by Socket, exfiltrates ASP.NET Identity data, including user accounts, role assignments, and permission mappings, as well as manipulates authorization rules to create persistent backdoors in victim applications. First seen on thehackernews.com Jump…
Hackers Exploit Cortex XDR Live Terminal for C2 Communications

Feb 25, 2026 2:37 PM

Tags: backdoor, communications, cyber, edr, exploit, hacker, malicious, tool

Hackers can repurpose the Cortex XDR Live Terminal feature as a stealthy, EDR”‘trusted command”‘and”‘control (C2) channel, effectively turning a built”‘in response tool into a “living off the land” backdoor on protected endpoints. This abuse leverages the agent’s trusted communications and flexible remote”‘execution capabilities to blend malicious operations into normal Cortex XDR traffic. Cortex XDR Live…
Microsoft Alerts Developers of Malicious Next.js Repositories Used in Ongoing Hacker Attacks

Feb 25, 2026 7:05 AM

Tags: attack, backdoor, cyber, hacker, malicious, malware, microsoft, threat

Microsoft has warned that threat actors are weaponizing malicious Next.js repositories to compromise developers through what appear to be legitimate projects and recruiting”‘style technical assessments. The campaign abuses normal workflows in Visual Studio Code and Node.js to reach a staged command”‘and”‘control (C2) backdoor without relying on traditional malware installers. Attackers publish repositories that appear to…
Malicious NuGet Packages Target ASP.NET Developers to Steal Login Credentials

Feb 24, 2026 1:02 PM

Tags: backdoor, credentials, cyber, identity, login, malicious

Malicious NuGet packages posing as legitimate developer utilities are targeting ASP.NET projects to steal identity credentials and silently backdoor applications through a localhost proxy. All four were published between August 1221, 2024, by a NuGet user named “hamzazaheer” and have collectively amassed a little over 4,500 downloads before takedown requests were submitted. The campaign’s core…
UnsolicitedBooker Targets Central Asian Telecoms With LuciDoor and MarsSnake Backdoors

Feb 24, 2026 12:00 PM

Tags: attack, backdoor, group, threat

The threat activity cluster known as UnsolicitedBooker has been observed targeting telecommunications companies in Kyrgyzstan and Tajikistan, marking a shift from prior attacks aimed at Saudi Arabian entities.The attacks involve the deployment of two distinct backdoors codenamed LuciDoor and MarsSnake, according to a report published by Positive Technologies last week.”The group used several First seen…
Fake Huorong Site Delivers ValleyRAT Backdoor in Targeted Malware Campaign

Feb 24, 2026 9:02 AM

Tags: access, antivirus, backdoor, cyber, framework, malware

A typosquatted copy of the popular Huorong Security antivirus site is being used to deliver ValleyRAT, a modular remote access trojan (RAT) built on the Winos4.0 framework, to users who believe they are downloading legitimate protection software. The attackers registered huoronga[.]com adding a single “a” to the legitimate huorong.cn domain as part of a typosquatting strategy designed…
Anthropic’s Claude Code Security rollout is an industry wakeup call

Feb 24, 2026 8:01 AM

Tags: ai, attack, backdoor, ceo, ciso, cloud, control, cyber, cybersecurity, detection, exploit, group, LLM, open-source, risk, saas, service, soc, tool, update, vulnerability, zero-day, zero-trust

Anchors security posture to the model: However, those assurances didn’t make all concerns evaporate. “The moment those vibe coders plug a foundation model into their CI pipeline, their entire security posture is no longer anchored only to the company’s code,” I-Gentic AI CEO Zahra Timsah pointed out.”It is anchored to the current behavior of that model.…
VPN flaws allowed Chinese hackers to compromise dozens of Ivanti customers, says report

Feb 23, 2026 6:01 PM

Tags: access, backdoor, china, exploit, flaw, hacker, ivanti, network, vpn

Chinese hackers allegedly broke into the network of an Ivanti subsidiary in 2021. The hackers exploited a backdoor in its VPN product, which allowed the hackers to gain access to 119 other unnamed organizations. First seen on techcrunch.com Jump to article: techcrunch.com/2026/02/23/vpn-flaws-allowed-chinese-hackers-to-compromise-dozens-of-ivanti-customers-says-report/