Dohdoor backdoor activity on Windows endpoints
Malware Activity
Summary
Hide ▲
Show ▼
A new Dohdoor backdoor is being used to provide DNS-over-HTTPS (DoH) C2 and reflective payload execution on Windows endpoints, increasing stealth and post-compromise control. Delivery appears to rely on suspected phishing, PowerShell, batch scripting, and DLL side-loading through legitimate Windows binaries. The implant can also fetch a Cobalt Strike Beacon while masking traffic behind Cloudflare infrastructure.
Related Happenings
TonRAT Node.js implant with TON blockchain C2
Malware Activity
H score24
First: 26.06.2026 12:27
Last: 26.06.2026 12:27
Sources 1
About this happening:
**TonRAT** is using a **Node.js implant** to hide command-and-control lookups behind the **TON blockchain API**, increasing the chance that blocking and detection will fail. The a...
TonRAT Node.js implant with TON blockchain C2
Malware ActivityAbout this happening: **TonRAT** is using a **Node.js implant** to hide command-and-control lookups behind the **TON blockchain API**, increasing the chance that blocking and detection will fail. The a...
Beagle backdoor distributed via fake Claude site and DLL sideloading
Malware Activity
H score23
First: 07.05.2026 16:15
Last: 07.05.2026 16:15
Sources 1
About this happening:
The **Beagle** backdoor is now being distributed through a **fake Claude website**, putting **Windows users** at risk of infection through a **DLL sideloading chain**. The lure de...
Beagle backdoor distributed via fake Claude site and DLL sideloading
Malware ActivityAbout this happening: The **Beagle** backdoor is now being distributed through a **fake Claude website**, putting **Windows users** at risk of infection through a **DLL sideloading chain**. The lure de...
EtherRAT malicious MSI loader with Ethereum-based C2
Malware Activity
H score23
First: 30.04.2026 14:30
Last: 30.04.2026 14:30
Sources 1
About this happening:
The **EtherRAT** malware is being delivered through **malicious MSI installers** and gives attackers **persistent Windows access**, increasing the risk of covert control inside en...
EtherRAT malicious MSI loader with Ethereum-based C2
Malware ActivityAbout this happening: The **EtherRAT** malware is being delivered through **malicious MSI installers** and gives attackers **persistent Windows access**, increasing the risk of covert control inside en...
Warlock ransomware post-exploitation tooling upgrades
Malware Activity
H score38
First: 17.03.2026 17:36
Last: 17.03.2026 17:36
Sources 1
About this happening:
The **Warlock ransomware group** has upgraded its post-exploitation toolset with **BYOVD**, **TightVNC**, and **Yuze**, making intrusions harder to detect and interrupt. In an obs...
Warlock ransomware post-exploitation tooling upgrades
Malware ActivityAbout this happening: The **Warlock ransomware group** has upgraded its post-exploitation toolset with **BYOVD**, **TightVNC**, and **Yuze**, making intrusions harder to detect and interrupt. In an obs...
UAT-9244 TernDoor, PeerTime, and BruteEntry malware activity
Malware Activity
H score22
First: 06.03.2026 01:19
Last: 06.03.2026 01:19
Sources 1
About this happening:
A **China-linked** malware cluster has been using **TernDoor**, **PeerTime**, and **BruteEntry** to compromise **telecommunication providers in South America** and turn infected s...
UAT-9244 TernDoor, PeerTime, and BruteEntry malware activity
Malware ActivityAbout this happening: A **China-linked** malware cluster has been using **TernDoor**, **PeerTime**, and **BruteEntry** to compromise **telecommunication providers in South America** and turn infected s...
Timeline
-
26.02.2026 17:17 2 articles · 4mo ago
Cisco Talos discloses UAT-10027 and Dohdoor
Technical Analysis UpdateCisco Talos publicly identifies UAT-10027 as an ongoing malicious campaign against U.S. education and healthcare organizations and describes a new backdoor called Dohdoor. Dohdoor uses DNS-over-HTTPS (DoH) for command-and-control communications, can download and execute other payload binaries reflectively, and is delivered through suspected social engineering phishing, a PowerShell script, a Windows batch script, DLL side-loading with legitimate Windows executables such as Fondue.exe, mblctr.exe, and ScreenClippingHost.exe, and Cloudflare-hidden C2 infrastructure.
Show sources
- UAT-10027 Targets U.S. Education and Healthcare with Dohdoor Backdoor — thehackernews.com — 26.02.2026 17:17
- UAT-10027 Targets U.S. Education and Healthcare with Dohdoor Backdoor — thehackernews.com — 26.02.2026 17:17