Originally reported by The Hacker News, Ars Technica Security, Microsoft Security, SANS ISC, MSRC Security Updates
TL;DR
A new threat cluster UAT-10027 is actively targeting US healthcare and education sectors with the Dohdoor backdoor, while the Aeternum C2 botnet demonstrates blockchain-based command infrastructure for improved resilience. Additional threats include gaming-focused RATs and a new Wi-Fi encryption bypass attack.
Multiple active threat campaigns targeting critical infrastructure sectors (healthcare, education) with novel backdoors and evasion techniques warrant high severity classification.
Cisco Talos has identified a previously undocumented threat activity cluster, designated UAT-10027, conducting an ongoing campaign against US education and healthcare sectors since December 2025. The campaign deploys a novel backdoor called Dohdoor that utilizes DNS-over-HTTPS (DoH) for command and control communications, demonstrating the threat actor's focus on stealth and persistence in critical infrastructure environments.
Qrator Labs researchers have documented the Aeternum C2 botnet, which represents a significant evolution in command-and-control architecture. Rather than relying on traditional server infrastructure, Aeternum stores encrypted commands on the Polygon blockchain, making takedown efforts substantially more complex. This approach signals a potential shift toward decentralized C2 mechanisms that leverage legitimate blockchain networks for malicious purposes.
Microsoft Threat Intelligence has observed threat actors distributing trojanized gaming utilities through browsers and chat platforms. The attack chain involves a malicious downloader that stages a portable Java runtime environment and executes a malicious JAR file named jd-gui.jar using PowerShell. This campaign highlights the continued targeting of gaming communities as an attack vector for RAT deployment.
Meta has filed lawsuits against deceptive advertisers operating from Brazil, China, and Vietnam who conduct celebrity-bait scams on its platforms. The company has suspended payment methods, disabled associated accounts, and blocked domain names used in these operations, demonstrating platform-level efforts to combat coordinated inauthentic behavior.
Researchers have disclosed the AirSnitch attack methodology, which can bypass Wi-Fi encryption in home, office, and enterprise environments. The attack particularly affects guest network configurations that users may assume provide adequate security isolation.
Several notable CVEs have been published:
CVE-2026-27571: NATS server WebSocket vulnerability enabling pre-authentication memory DoS attacksCVE-2026-27965: Vitess privilege escalation allowing backup storage users to access production environmentsCVE-2025-69873: AJV (Another JSON Schema Validator) ReDoS vulnerability when $data option is enabled, allowing catastrophic backtracking attacksCVE-2026-3063: Chromium DevTools implementation vulnerability affecting Microsoft EdgeMicrosoft Security has published guidance on threat modeling AI applications, addressing misuse scenarios, emergent risks, and failure modes in probabilistic and agentic AI systems. This guidance reflects the growing need for specialized security frameworks as AI integration accelerates across enterprise environments.
Originally reported by The Hacker News, Ars Technica Security, Microsoft Security, SANS ISC, MSRC Security Updates