Trending Topics

Dohdoor Backdoor Campaign Hits U.S. Education and Healthcare

Cisco Talos is tracking an ongoing campaign, UAT-10027, that has targeted U.S. schools and healthcare organizations since at least December 2025, with the goal of gaining long-term access and setting the stage for further intrusions. The activity appears to begin with phishing that triggers a PowerShell downloader, which then uses curl to retrieve a second-stage Windows batch script from an external server. That batch script creates a hidden working folder under common system locations, downloads a malicious DLL, renames it to blend in with normal Windows files, and then uses trusted Windows programs copied into that folder to load the DLL via sideloading. After launching the backdoor, the script attempts to cover its tracks by removing evidence from user history areas, clearing the clipboard, and deleting itself. Talos calls the backdoor Dohdoor and notes that the targeting is concerning because these sectors store high-value student, staff, and patient information while often running older systems with limited security resources. Once installed, Dohdoor is built to stay quiet and pull additional malicious code directly into memory, enabling deeper access and broader compromise across a network. It hides command traffic by resolving its control infrastructure via DNS-over-HTTPS via Cloudflare, then blends follow-on communications into normal encrypted web traffic routed through Cloudflare’s edge, which can make the activity harder to spot at a quick glance. The actor also uses misleading domain naming and varied capitalization across less common top-level domains to complicate simple blocking and reduce the impact of basic keyword defenses. Talos did not capture the final payload end-to-end, but they observed indicators that align with common Cobalt Strike server defaults, which raises the risk of hands-on keyboard intrusion, credential theft, and lateral movement after initial access. Talos also assessed with low confidence that the campaign may have a North Korea link based on overlaps with tooling and techniques previously tied to Lazarus, while also noting that the victim profile does not fully match Lazarus’ more typical focus areas. To reduce risk, organizations should strengthen phishing resistance through training and rapid reporting, tighten controls over PowerShell and scripted downloads, and watch for unusual use of built-in Windows tools running from new hidden folders in shared system paths. They should also review whether direct DNS-over-HTTPS to public resolvers is necessary in their environment, block or strictly monitor it when it is not needed, keep endpoint and network detections current, including vendor coverage published for this campaign, and confirm backups and incident response steps are ready in case follow-on access turns into data theft or disruption.

Ruby Jumper Campaign Uses USB to Bridge Air-Gapped Systems for Espionage

Zscaler ThreatLabz reports that North Korean-linked APT37 is running a campaign they track as Ruby Jumper, built to move instructions and stolen data between internet-connected systems and isolated air-gapped machines. The operation begins with malicious Windows shortcut files that, once opened, trigger PowerShell and unpack multiple embedded payloads while showing a decoy document themed around current Middle East news content translated from North Korean media. Those payloads ultimately install RESTLEAF, a Windows implant that uses Zoho WorkDrive for command-and-control by authenticating with hardcoded tokens and retrieving a shellcode file for in-memory execution. After initial activation, the malware signals operators by dropping timestamped beacon files into a specific Zoho folder, confirming the host is active and ready for tasking. ThreatLabz links the activity to APT37 with high confidence based on the reuse of known backdoors, consistent shortcut-driven tradecraft, and a repeatable two-stage shellcode approach intended to make detection and analysis harder. After RESTLEAF runs, it loads SNAKEDROPPER, which installs a full Ruby runtime under a hidden program data path and disguises the interpreter as a USB utility, then creates a scheduled task that reruns every five minutes to keep access stable and load additional payloads. THUMBSBD acts as the bridge across isolated networks by using removable media as a courier, maintaining an encrypted state, collecting detailed host information, and staging command requests and collected results inside hidden recycle-bin folders on USB drives. VIRUSTASK focuses on spreading, copying the toolset onto newly inserted USB devices, hiding the user’s original files, and replacing them with matching shortcut files that silently execute the trojanized environment when opened, which is a practical way to hop into air-gapped systems that rely on manual file transfer. From there, THUMBSBD can deploy FOOTWINE and the existing BLUELIGHT backdoor for deep surveillance, including interactive control, file access, keystroke capture, screenshots, and audio and video monitoring, while BLUELIGHT can also route commands through common cloud storage providers to reduce the need for direct attacker infrastructure. To reduce exposure, organizations should tighten controls on removable media by limiting USB use to approved devices, scanning media before access, and monitoring for hidden recycle-bin directories and sudden shortcut file creation, and they should also alert on unexpected Ruby runtimes or scheduled tasks appearing on endpoints, plus unusual cloud storage access patterns involving Zoho WorkDrive and other consumer cloud platforms from systems that do not normally use them.

Infostealers Fuel Brute-Force Pressure on Corporate SSO Gateways

Defused Cyber observed a surge in credential-stuffing attempts targeting corporate single sign-on entry points, with recent activity focusing on F5 BIG-IP login interfaces that many organizations use as an authentication front door. Their honeypots captured repeated login POST attempts that included what appeared to be real employee email and password combinations, including traffic traced to 219.75.254[.]166, tied to a Japanese network provider. When analysts reviewed a sample of 70 unique credential pairs used in the attack and checked them against Hudson Rock’s infostealer infection database, 54 pairs matched known infostealer logs, yielding a 77% confirmation rate. The key point is that the passwords were not obtained directly from F5 systems; they were harvested earlier from compromised employee devices where browser-saved credentials had been stolen. This connects routine infostealer infections to direct pressure on enterprise identity systems, where attackers try to reuse passwords or exploit gaps in multi-factor enforcement to gain access. This activity reflects an industrial pipeline in which infostealers capture credentials, the data is packaged and sold through criminal marketplaces, and attackers then try those logins at scale against external-facing identity portals that accept the same corporate credentials used elsewhere. The dataset included credentials tied to a wide mix of major companies and public-sector entities across defense, healthcare, telecom, professional services, law enforcement, retail, and government, signaling a broad-volume strategy in which one success is enough to open a network. The overall trend is that many intrusions now start with authentication abuse rather than a software exploit, so valid credentials become the fastest path through the perimeter. Reducing risk starts with preventing and containing infostealers on endpoints by tightening browser credential storage, improving endpoint controls, and rapidly resetting exposed passwords while also enforcing strong multi-factor authentication everywhere the SSO front door is exposed. It also helps to make credential-stuffing expensive for attackers by adding rate limiting, bot defenses, strict conditional access, and continuous monitoring that flags abnormal login patterns and checks employee identities against known exposure sources before attackers can reuse them.

Top CVEs of the Week

Top CVEs of the Week – As part of our ongoing vulnerability monitoring, the following CVEs highlight recent security issues that could affect a range of systems, applications, and devices. These findings reflect the constantly evolving threat landscape and reinforce the importance of timely patching, secure configurations, and proactive security practices. Below is a summary of notable vulnerabilities, including their impact and any available remediation guidance.