Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Dohdoor backdoor activity on Windows endpoints

Malware Activity
First reported
Last updated
Happening score
H score 28
1 unique sources, 1 articles

Summary

Hide ▲

A new Dohdoor backdoor is being used to provide DNS-over-HTTPS (DoH) C2 and reflective payload execution on Windows endpoints, increasing stealth and post-compromise control. Delivery appears to rely on suspected phishing, PowerShell, batch scripting, and DLL side-loading through legitimate Windows binaries. The implant can also fetch a Cobalt Strike Beacon while masking traffic behind Cloudflare infrastructure.

Related Happenings

Beagle backdoor distributed via fake Claude site and DLL sideloading

Malware Activity
First: 07.05.2026 16:15 Last: 07.05.2026 16:15 Sources 1

About this happening: The **Beagle** backdoor is now being distributed through a **fake Claude website**, putting **Windows users** at risk of infection through a **DLL sideloading chain**. The lure de...

Open Happening

EtherRAT malicious MSI loader with Ethereum-based C2

Malware Activity
First: 30.04.2026 14:30 Last: 30.04.2026 14:30 Sources 1

About this happening: The **EtherRAT** malware is being delivered through **malicious MSI installers** and gives attackers **persistent Windows access**, increasing the risk of covert control inside en...

Open Happening

Warlock ransomware post-exploitation tooling upgrades

Malware Activity
First: 17.03.2026 17:36 Last: 17.03.2026 17:36 Sources 1

About this happening: The **Warlock ransomware group** has upgraded its post-exploitation toolset with **BYOVD**, **TightVNC**, and **Yuze**, making intrusions harder to detect and interrupt. In an obs...

Open Happening

UAT-9244 TernDoor, PeerTime, and BruteEntry malware activity

Malware Activity
First: 06.03.2026 01:19 Last: 06.03.2026 01:19 Sources 1

About this happening: A **China-linked** malware cluster has been using **TernDoor**, **PeerTime**, and **BruteEntry** to compromise **telecommunication providers in South America** and turn infected s...

Open Happening

UAT-9244 South America telecom targeting campaign

Campaign
First: 06.03.2026 01:19 Last: 06.03.2026 01:19 Sources 1

About this happening: UAT-9244 is a China-linked campaign targeting telecommunication providers in South America since 2024. It compromises Windows, Linux, and edge devices to expand access across tele...

Latest development: 06.03.2026 10:22

The first documented phase centers on **TernDoor** targeting **Windows** hosts through **DLL side-loading** with `wsprint.exe` and `BugSplatRc64.dll`. After launch, it loads in memory and establishes persistence through a scheduled task or the Registry Run key.

Open Happening

Timeline

  1. 26.02.2026 17:17 2 articles · 3mo ago

    Cisco Talos discloses UAT-10027 and Dohdoor

    Technical Analysis Update

    Cisco Talos publicly identifies UAT-10027 as an ongoing malicious campaign against U.S. education and healthcare organizations and describes a new backdoor called Dohdoor. Dohdoor uses DNS-over-HTTPS (DoH) for command-and-control communications, can download and execute other payload binaries reflectively, and is delivered through suspected social engineering phishing, a PowerShell script, a Windows batch script, DLL side-loading with legitimate Windows executables such as Fondue.exe, mblctr.exe, and ScreenClippingHost.exe, and Cloudflare-hidden C2 infrastructure.

    Show sources
    Open in new tab