Cisco Talos reported an ongoing campaign, active since at least December 2025, attributed to a threat actor tracked as UAT-10027 delivering a previously undisclosed backdoor dubbed “Dohdoor.” Talos states the campaign targeted victims in the education and health care sectors in the United States and uses a multi-stage chain that likely begins with social engineering phishing techniques. Talos describes the infection chain as PowerShell execution that leads to downloading and running a Windows batch script, which then downloads a malicious DLL disguised as a legitimate Windows DLL and executes it via DLL sideloading with legitimate Windows executables. Once running, Dohdoor uses DNS-over-HTTPS to resolve C2 domains through Cloudflare DNS and then establishes HTTPS communications through Cloudflare infrastructure to conceal the underlying C2. Talos reports Dohdoor can download and decrypt payload binaries, inject them into legitimate Windows processes using process hollowing, and includes an EDR bypass technique involving syscall unhooking in ntdll.dll. Talos did not obtain the implanted payload but notes OSINT indicators that resemble default Cobalt Strike server characteristics, and assesses with low confidence that UAT-10027 is North Korea-nexus based on TTP overlaps, while also noting victimology differences.

Impact: Successful exploitation grants attackers stealthy, persistent backdoor access to victim networks, allowing them to download and execute secondary payloads directly in memory. By hiding command-and-control traffic behind Cloudflare and utilizing DNS-over-HTTPS, the threat actor effectively bypasses traditional DNS sinkholes and network monitoring tools. Forensic analysis suggests the ultimate payload is likely a Cobalt Strike Beacon, which facilitates deep lateral movement, data exfiltration, and prolonged operational disruption within critical infrastructure sectors like healthcare and education.

Recommendation: Organizations should review the source material and assess exposure. Monitor or hunt for abnormal executions of legitimate Windows binaries, such as Fondue.exe or mblctr.exe, or ScreenClippingHost.exe particularly when associated with unexpected network connections or launched from staging folders with unusual arguments. Hunt for process hollowing into the Windows binaries Talos listed and for attempts to tamper with or bypass user-mode EDR hooks in ntdll.dll. Where possible, ingest and apply Talos-provided coverage and indicators, including the published ClamAV signatures and Snort rules, and incorporate the associated IOC set into internal hunting and blocking workflows.

Microsoft published findings describing phishing-led abuse of OAuth’s by-design redirection mechanisms to facilitate phishing and malware delivery. Microsoft states the activity targets government and public-sector organizations and leverages silent OAuth authentication flows and intentionally invalid scopes to trigger error-based redirects to attacker-controlled landing pages. Microsoft notes Defender observed the activity across email, identity, and endpoint signals, and that Microsoft Entra disabled the observed OAuth applications, while related OAuth activity persists and requires ongoing monitoring. The technique begins with threat actors creating a malicious OAuth application in an attacker-controlled tenant and configuring redirect URIs to attacker infrastructure. Phishing links use crafted OAuth authorization URLs that commonly include prompt=none to force a silent authentication attempt and scope= or other conditions to reliably trigger an OAuth error. When the silent flow fails, the identity provider redirects the user to the attacker’s registered redirect URI along with error parameters, achieving the attacker’s goal of delivering the victim to phishing frameworks such as EvilProxy or, in some cases, initiating malware delivery. Microsoft describes one observed malware delivery chain where the redirect led to an automatic ZIP download containing a malicious LNK that launched PowerShell, performed reconnaissance, extracted a legitimate executable and malicious DLL for side-loading, decrypted an additional payload in memory, and established outbound connectivity.

Impact: Because the initial clicked link belongs to a trusted identity provider, the campaign effectively evades conventional email security filters and establishes misplaced user trust. Once redirected, victims face two primary threats. In phishing scenarios, users are routed to adversary-in-the-middle (AiTM) frameworks like EvilProxy, designed to intercept credentials and bypass multifactor authentication by stealing session cookies. In malware scenarios, the redirection triggers the automatic download of a malicious ZIP archive containing an LNK file. Opening this file initiates a PowerShell-based infection chain that utilizes DLL side-loading via a legitimate binary (steam_monitor.exe) to execute a persistent backdoor in memory, enabling follow-on hands-on-keyboard attacks.

Recommendation: Strengthen OAuth governance by limiting user consent, regularly reviewing application permissions and redirect URIs, and removing unused or overprivileged applications, while ensuring Conditional Access and identity protections are in place to detect risky sign-ins and enforce interactive authentication where needed. Enhance monitoring for OAuth authorization URLs that include prompt=none, intentionally invalid scope parameters, or encoded email addresses in the state parameter, and correlate these events with email telemetry and URL click data to identify affected users. Because Microsoft observed both phishing and malware delivery, ensure endpoint controls and logging can detect follow-on behaviors such as suspicious ZIP downloads, LNK execution, PowerShell reconnaissance, and DLL side-loading, and incorporate Microsoft’s published hunting logic into XDR and SIEM workflows to scope activity and prioritize containment.

Zscaler ThreatLabz reported on February 26, 2026 that it identified a campaign in December 2025 linked to APT37 (also known as ScarCruft, Ruby Sleet, and Velvet Chollima), tracked as “Ruby Jumper.” ThreatLabz states the campaign uses Windows shortcut (LNK) files to initiate execution and deploys newly identified tools including RESTLEAF, SNAKEDROPPER, THUMBSBD, and VIRUSTASK, which ultimately deliver additional payloads including FOOTWINE and BLUELIGHT for surveillance. ThreatLabz describes an attack chain where a malicious LNK launches PowerShell that carves embedded payloads from the LNK and executes a loader chain that results in RESTLEAF. RESTLEAF uses Zoho WorkDrive for command-and-control by exchanging embedded refresh token credentials for access and retrieving shellcode payloads for execution. A subsequent stage, SNAKEDROPPER, installs a full Ruby runtime under %PROGRAMDATA%\usbspeed, establishes persistence via a scheduled task, and drops THUMBSBD and VIRUSTASK. THUMBSBD uses removable media as a bidirectional relay to move commands and data between internet-connected and air-gapped systems, while VIRUSTASK propagates by replacing files on removable media with LNK shortcuts that execute the staged interpreter and scripts. ThreatLabz reports FOOTWINE provides surveillance capabilities including keylogging and audio and video capture, and that BLUELIGHT leverages multiple legitimate cloud providers for C2.

Impact: This campaign enables persistence, surveillance, and staged command execution on Windows systems, and introduces a pathway to cross network isolation boundaries through removable media. Use of cloud services for C2 and embedding payloads within LNK-delivered components can complicate detection, while removable media propagation increases risk of spreading into segmented or air-gapped environments where traditional network monitoring provides limited coverage.

Recommendation: Organizations should enforce strict policies regarding the use of removable media, ideally disabling USB storage devices on critical or air-gapped systems. Monitor endpoints for the unauthorized installation of scripting runtimes, particularly the Ruby interpreter, and the anomalous execution of LNK files. Ingest the provided Indicators of Compromise (IOCs) to block communications with known malicious domains (e.g., philion.store, hightkdhe.store) and investigate any unexpected network traffic directed towards legitimate cloud storage services like Zoho WorkDrive or pCloud.

Microsoft reported a coordinated developer-targeting campaign, delivered through malicious repositories disguised as legitimate Next.js projects and recruiting-themed technical assessments. Microsoft states the activity aligns with a broader cluster using job-themed lures to blend into normal developer behavior and increase the likelihood of code execution. The campaign targets developer systems and workflows where source code, environment secrets, and cloud access are commonly present. Across the analyzed repositories, Microsoft observed multiple execution paths that converge on runtime retrieval and in-memory execution of attacker-controlled JavaScript, followed by staged command-and-control. Execution can be triggered when a developer opens and trusts a project in Visual Studio Code (via workspace task automation), runs a development server (via trojanized assets such as modified jquery.min.js), or starts a backend (via decoding a base64 endpoint, exfiltrating process.env, and executing server-returned JavaScript using new Function()). Microsoft describes a Stage 1 registration and bootstrap channel and a Stage 2 persistent controller that polls for JavaScript tasks and supports discovery and staged upload workflows. Observed behaviors include directory browsing and multi-step upload endpoints for file transfer.

Impact: Successful compromise grants threat actors persistent, interactive access to developer workstations. Because these systems regularly handle sensitive data, attackers can easily harvest source code, environment secrets, and cloud access tokens. This initial access allows adversaries to expand their reach beyond a single endpoint, creating pathways to compromise corporate build infrastructure, software supply chains, and production cloud environments.

Recommendation: Organizations should review the Microsoft guidance and assess their exposure by hunting for anomalous Node.js network connections. Teams should enforce Visual Studio Code Workspace Trust and Restricted Mode as the default posture to prevent automatic code execution in untrusted folders. Implement attack surface reduction rules to block the execution of potentially obfuscated scripts on development endpoints. Monitor endpoint telemetry for Node.js processes initiating repeated, short-interval beaconing to untrusted endpoints or accessing sensitive files like .env configurations. Maintain strict credential hygiene by minimizing secrets stored on developer endpoints, utilizing short-lived tokens, and separating production credentials from development workstations.