Find notable cyber news and cases, enriched with sources, timelines, and signals.

FINALDRAFT and ShadowPad toolchain activity

Malware Activity
First reported
Last updated
Happening score
H score 26
1 unique sources, 1 articles

Summary

Hide ▲

A new FINALDRAFT malware variant and ShadowPad tooling are being used to increase stealth and exfiltration throughput inside compromised networks. The activity supports stealthy lateral movement and multi-stage deployment, raising the risk that one foothold can spread and persist. The malware chain affects Windows and Linux environments and is part of an intrusion toolkit that also uses Cobalt Strike and web shells.

Related Happenings

Backdoor.Turn Microsoft Teams TURN relay malware activity

Malware Activity
H score29 First: 16.06.2026 13:18 Last: 16.06.2026 13:18 Sources 1

About this happening: **Backdoor.Turn** is a **Go-based RAT** tied to **DragonForce ransomware** operators that hid command-and-control traffic through **Microsoft Teams TURN relay infrastructure** dur...

OpenClaw outbound-mail approval gates and trust-scoped connector controls

Defensive Guidance
H score11 First: 11.06.2026 20:46 Last: 11.06.2026 20:46 Sources 1

About this happening: OpenClaw operators are adding **outbound-mail approval gates**, **trust-scoped connector access**, and **human approval** for risky actions to reduce **agent phishing** and unauth...

Glassworm botnet command-and-control disruption

Malware Activity
H score10 First: 27.05.2026 17:00 Last: 27.05.2026 17:00 Sources 1

About this happening: The **Glassworm** botnet had all **four command-and-control channels** disrupted, cutting operators off from infected machines and blocking new payload delivery. The infrastructur...

RondoDox botnet expands mining and DDoS capabilities

Malware Activity
H score31 First: 16.04.2026 20:52 Last: 16.04.2026 20:52 Sources 1

About this happening: **RondoDox botnet** now combines **cryptocurrency mining with XMRig** and **DDoS attacks**, expanding both monetization and disruption risk across exposed systems. It reaches targ...

UAT-9244 TernDoor, PeerTime, and BruteEntry malware activity

Malware Activity
H score22 First: 06.03.2026 01:19 Last: 06.03.2026 01:19 Sources 1

About this happening: A **China-linked** malware cluster has been using **TernDoor**, **PeerTime**, and **BruteEntry** to compromise **telecommunication providers in South America** and turn infected s...

Timeline

  1. 17.12.2025 13:12 2 articles · 6mo ago

    FINALDRAFT variant and ShadowPad relay tooling described

    Technical Analysis Update

    Check Point described a new FINALDRAFT variant with enhanced stealth, higher exfiltration throughput, and a modular command framework that pushes encoded command documents to a victim mailbox, where the implant pulls, decrypts, and executes them. The activity also uses ShadowPad Loader and a custom ShadowPad IIS Listener to turn compromised IIS and SharePoint servers into relay infrastructure, support command proxying, and enable reconnaissance, payload staging, and lateral movement across Windows and Linux environments.

    Show sources