TAMECAT PowerShell backdoor deployment and exfiltration
Malware Activity
Summary
Hide ▲
Show ▼
TAMECAT is being used as a PowerShell backdoor to maintain persistent access on compromised hosts and move data out through HTTPS, Discord, and Telegram. The malware matters because it adds remote control, reconnaissance, browser theft, mailbox collection, and screenshot capture to the operator's intrusion toolkit.
Related Happenings
Webworm EchoCreep and GraphWorm backdoor expansion
Malware Activity
First: 20.05.2026 15:51
Last: 20.05.2026 15:51
Sources 1
About this happening:
**Webworm** expanded its malware arsenal in **2025** with the custom backdoors **EchoCreep** and **GraphWorm**, increasing its ability to run stealthy **command-and-control** oper...
Webworm EchoCreep and GraphWorm backdoor expansion
Malware ActivityAbout this happening: **Webworm** expanded its malware arsenal in **2025** with the custom backdoors **EchoCreep** and **GraphWorm**, increasing its ability to run stealthy **command-and-control** oper...
Vidar infostealer market rise and distribution expansion
Malware Activity
First: 28.04.2026 22:07
Last: 28.04.2026 22:07
Sources 1
About this happening:
**Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
Vidar infostealer market rise and distribution expansion
Malware ActivityAbout this happening: **Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
UAT-10027 U.S. education and healthcare targeting campaign
Campaign
First: 26.02.2026 17:17
Last: 26.02.2026 17:17
Sources 1
About this happening:
**UAT-10027** is running an active **campaign** against **U.S. education and healthcare organizations**, and the activity matters because it delivers a new backdoor and supporting...
UAT-10027 U.S. education and healthcare targeting campaign
CampaignAbout this happening: **UAT-10027** is running an active **campaign** against **U.S. education and healthcare organizations**, and the activity matters because it delivers a new backdoor and supporting...
Dohdoor backdoor activity on Windows endpoints
Malware Activity
First: 26.02.2026 17:17
Last: 26.02.2026 17:17
Sources 1
About this happening:
A new **Dohdoor** backdoor is being used to provide **DNS-over-HTTPS (DoH)** C2 and **reflective payload execution** on **Windows** endpoints, increasing stealth and post-compromi...
Dohdoor backdoor activity on Windows endpoints
Malware ActivityAbout this happening: A new **Dohdoor** backdoor is being used to provide **DNS-over-HTTPS (DoH)** C2 and **reflective payload execution** on **Windows** endpoints, increasing stealth and post-compromi...
MIMICRAT (aka AstarionRAT) ClickFix-delivered RAT activity
Malware Activity
First: 20.02.2026 13:55
Last: 20.02.2026 13:55
Sources 1
About this happening:
The **MIMICRAT (aka AstarionRAT)** malware has been disclosed as a **ClickFix-delivered RAT** that enables **Windows token impersonation** and **SOCKS5 tunneling**, increasing the...
MIMICRAT (aka AstarionRAT) ClickFix-delivered RAT activity
Malware ActivityAbout this happening: The **MIMICRAT (aka AstarionRAT)** malware has been disclosed as a **ClickFix-delivered RAT** that enables **Windows token impersonation** and **SOCKS5 tunneling**, increasing the...
Timeline
-
14.11.2025 16:40 2 articles · 6mo ago
TAMECAT PowerShell backdoor deployment and exfiltration
Initial DisclosureThe initial stage centers on **TAMECAT** being delivered as a **PowerShell backdoor** after a malicious link chain reaches a loader. This phase establishes the foothold needed for **persistent access** and follow-on exfiltration.
Show sources
- Iranian Hackers Launch ‘SpearSpecter’ Spy Operation on Defense & Government Targets — thehackernews.com — 14.11.2025 16:40
- Iranian Hackers Launch ‘SpearSpecter’ Spy Operation on Defense & Government Targets — thehackernews.com — 14.11.2025 16:40