Cyber Threat Brief — March 4 2026
Cyber Threat Brief — March 4 2026
Focus: Actionable technical intel for detection engineers. Every entry has MITRE-mapped artifacts and real detection coverage. Sources verified within 24 hours.
1. Dohdoor Backdoor (UAT-10027) — DNS-over-HTTPS C2 + DLL Sideloading
Summary
Dohdoor is a novel backdoor targeting US education and healthcare sectors via a phishing → PowerShell → batch dropper → DLL sideload chain. The malware tunnels C2 through Cloudflare’s DoH resolver with irregularly-cased subdomain names (.OnLiNe, .DeSigN, .SoFTWARe) specifically to beat string-match blocklists, and reflectively loads Cobalt Strike Beacon as a follow-on payload. Full Talos technical teardown is fresh — this one has concrete, huntable artifacts.
What’s New (Last 24 Hours)
Cisco Talos published a full technical teardown of the Dohdoor backdoor used by UAT-10027 in campaigns targeting US education and healthcare. Key details confirmed: the batch dropper uses curl.exe /111111?sub=d as its DLL download signature, sideloads via legitimate LOLBins (Fondue.exe, mblctr.exe, ScreenClippingHost.exe) from ProgramData/Public, and performs RunMRU registry anti-forensics on exit.
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|---|---|---|---|
curl.exe /111111?sub=d | TTP | T1105 | EDR process telemetry / command-line logs | Hunt for curl.exe invocations with URL path /111111?sub= — this is the batch dropper’s DLL download command |
Fondue.exe / mblctr.exe / ScreenClippingHost.exe executing from C:\ProgramData\ or C:\Users\Public\ | TTP | T1574.002 | EDR process/file telemetry | Alert on these LOLBins running outside their expected system paths — this is the sideload trigger pattern |
propsys.dll / batmeter.dll (written to non-system paths) | TTP | T1574.002 | EDR file telemetry | Hunt for these DLL names written to ProgramData or Users\Public; known Dohdoor masquerade DLL names |
MswInSofTUpDloAd / DEEPinSPeCTioNsyStEM (C2 subdomain patterns) | IOC | T1071.004 | DNS logs / DoH proxy logs | Search DNS query logs for mixed-case subdomains matching this pattern; flag .OnLiNe / .DeSigN / .SoFTWARe TLDs from any endpoint |
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU deletion | TTP | T1112 | EDR registry telemetry | Alert on deletion of this key post-execution; it is the batch dropper’s anti-forensics cleanup step |
Potential Detection Coverage Based on MITRE ATT&CK Technique
| Source | Detections | Coverage |
|---|---|---|
| Splunk | Windows RunMRU Registry Key or Value Deleted | Directly maps to Dohdoor’s anti-forensics step — RunMRU deletion after batch execution |
| Elastic | Modification of AmsiEnable Registry Key | Covers registry modification behavior; no direct Dohdoor RunMRU rule found — gap exists for the specific key deletion |
| Sigma | Abusable DLL Potential Sideloading From Suspicious Location | Covers DLL sideloading from non-system paths — maps to Fondue.exe/mblctr.exe loading propsys.dll/batmeter.dll from ProgramData |
Sources
- Cisco Talos — New Dohdoor malware campaign targets education and health care — Published 2026-02-26
2. SloppyLemming (Outrider Tiger) — BurrowShell + Rust Keylogger Targeting South Asian Critical Infrastructure
Summary
SloppyLemming (India-nexus APT, also tracked as Outrider Tiger and Fishing Elephant) dramatically expanded its toolset over 2025–2026, adding the BurrowShell in-memory shellcode implant and a Rust-based keylogger to supplement its Cobalt Strike/Havoc kit. The group now runs 112 Cloudflare Workers domains mimicking Pakistani and Bangladeshi government entities for C2, with C2 traffic masquerading as Windows Update. Targets include Pakistani nuclear regulatory bodies, Navy logistics, and Bangladeshi energy utilities.
What’s New (Last 24 Hours)
Arctic Wolf published a comprehensive technical report (2026-03-02) documenting the new BurrowShell implant (in-memory x64 shellcode, 15 supported commands, SOCKS proxy, RC4-encrypted C2), the Rust keylogger with port scanning/network recon, and the 112-domain Cloudflare Workers infrastructure expansion. Open directory misconfigurations exposed staged Havoc framework loaders.
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|---|---|---|---|
NGenTask.exe executing from non-dotnet system path (loads mscorsvc.dll) | TTP | T1574.002 | EDR process/file telemetry | Hunt for NGenTask.exe outside %ProgramFiles%\dotnet\; alert on mscorsvc.dll loaded from non-System32 locations |
mscorsvc.dll written to non-system directory | IOC | T1574.002 | EDR file telemetry | Alert on this DLL written or loaded outside System32/SysWOW64; masquerades as legitimate .NET runtime DLL |
8faeea306a331d86ce1acb92c8028b4322efbd11a971379ba81a6b769ff5ac4b | IOC | T1566.001 | Email gateway / file hash telemetry | Block/alert at email gateway; Stage 1 PDF lure delivering the BurrowShell chain |
*.workers.dev DNS queries with government-entity subdomain names | TTP | T1102.001 | DNS / proxy logs | Alert on *.workers.dev resolutions from non-developer endpoints; filter subdomains mimicking government entities (e.g., webmail-pnra, gov-pk) |
| Outbound HTTP to non-Microsoft IPs with Windows Update user-agent strings | TTP | T1071.001 | Proxy / network flow logs | BurrowShell masks C2 as Windows Update — hunt for Windows Update-style traffic to non-Microsoft IP space |
Potential Detection Coverage Based on MITRE ATT&CK Technique
| Source | Detections | Coverage |
|---|---|---|
| Splunk | Windows Phishing PDF File Executes URL Link | Covers the Stage 1 PDF lure clicking/execution — maps to the ClickOnce delivery vector |
| Elastic | Potential Execution via FileFix Phishing Attack | Covers ClickOnce-style phishing execution chains from PDFs and web lures |
| Sigma | Potential Initial Access via DLL Search Order Hijacking | Covers DLL search order abuse — directly maps to NGenTask.exe sideloading mscorsvc.dll |
Sources
- Arctic Wolf Labs — SloppyLemming Deploys BurrowShell and Rust-Based RAT to Target Pakistan and Bangladesh — Published 2026-03-02
3. DeepSeek-Claw — Malicious GitHub Repo Installs Browser Session Hijack + macOS C2 Agent
Summary
A malicious GitHub repo (TriangleMagistrate/DeepSeek-Claw) marketed as a cheap AI API alternative installs a 2.5MB obfuscated Node.js C2 agent on macOS that clones live Chrome profiles, intercepts 2FA in real time, executes remote shell commands, and persists via launchd. A confirmed victim lost banking access within 41 minutes of install. The repo had 177 stars before being reported — meaning this ran in the wild against real developers.
What’s New (Last 24 Hours)
Security researcher @iamian publicly documented the full post-mortem: install script deploys ~/.cache/.npm_telemetry/monitor.js, injects persistence into four shell init files, registers ai.openclaw.gateway.plist as a LaunchAgent, and uses NODE_CHANNEL=cryptoexth4 as the C2 channel ID. Capabilities include Chrome profile cloning via CDP, Gmail monitoring, iMessage monitoring, and Telegram credential harvesting.
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|---|---|---|---|
~/.cache/.npm_telemetry/monitor.js | IOC | T1059.007 | EDR file telemetry / endpoint filesystem scan | Hunt for this path on macOS; any presence indicates infection. Alert on Node.js processes spawned from ~/.cache/.npm_telemetry/ |
ai.openclaw.gateway.plist (in ~/Library/LaunchAgents/) | IOC | T1543.001 | EDR persistence/file telemetry | Hunt for this LaunchAgent plist name; boot persistence artifact for the C2 agent |
NODE_CHANNEL=cryptoexth4 (process environment variable) | IOC | T1071.001 | EDR process telemetry | Query for processes with NODE_CHANNEL=cryptoexth4 in environment variables — unique C2 channel ID |
Injection into ~/.zshrc / ~/.zshenv / ~/.bash_profile / ~/.bashrc | TTP | T1546.004 | EDR file telemetry | Alert on unexpected appended content (base64 or Node.js invocations) in shell init files on developer endpoints |
TriangleMagistrate/DeepSeek-Claw GitHub repo / openclaw npm package | IOC | T1195.001 | Browser history / shell history / npm audit logs | Query shell history for references to this repo or npm install openclaw; treat any install as confirmed compromise |
Potential Detection Coverage Based on MITRE ATT&CK Technique
| Source | Detections | Coverage |
|---|---|---|
| Splunk | Linux Auditd Unix Shell Configuration Modification | Covers shell config modification (zshrc/bashrc injection) — Linux-centric but logic applies to macOS with auditd/EDR |
| Elastic | Bash Shell Profile Modification | Cross-platform rule directly covering .zshrc/.bashrc modification persistence — high relevance to this threat |
| Sigma | Potential Persistence Via PlistBuddy | Covers macOS LaunchAgent plist creation — maps to ai.openclaw.gateway.plist persistence mechanism |
Sources
- @iamian on X — PSA: GitHub repo TriangleMagistrate/DeepSeek-Claw is active malware — Published 2026-03-03
- @iamian on X — Post-mortem: Attack Vector — Published 2026-03-03
4. VMware Aria Operations Unauthenticated Command Injection — Active Exploitation (CISA KEV)
Summary
Broadcom VMware Aria Operations (formerly vROps) has an unauthenticated command injection flaw (CVE-2026-22719, CVSS 8.1) that’s now confirmed exploited in the wild and added to CISA KEV. Exploitation is triggered during support-assisted product migration. Patch to 8.18.6 or run the provided shell script workaround immediately. FCEB agencies have a March 24 deadline.
What’s New (Last 24 Hours)
CISA added CVE-2026-22719 to KEV on 2026-03-03. Broadcom confirms active exploitation. A shell-script workaround (aria-ops-rce-workaround.sh) is available for immediate risk reduction. CVE-2026-22720 (stored XSS) and CVE-2026-22721 (privilege escalation) were also patched in the same advisory.
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|---|---|---|---|
| Unexpected script/shell execution from Aria Operations appliance processes | TTP | T1059.004 | EDR / endpoint process telemetry | If workaround is not deployed, hunt for unexpected child processes spawned by Aria Operations services — especially during any migration activity |
| Unexpected outbound HTTP(S) from Aria Operations appliance to non-Broadcom IPs | TTP | T1190 | Firewall / proxy logs | Baseline Aria Operations appliance outbound connections; alert on new destinations during or after support-migration tasks |
Potential Detection Coverage Based on MITRE ATT&CK Technique
| Source | Detections | Coverage |
|---|---|---|
| Splunk | VMWare Aria Operations Exploit Attempt | Direct detection for Aria Operations exploitation attempts — maps to CVE-2026-22719 command injection behavior |
| Elastic | Telnet Authentication Bypass via User Environment Variable | Covers Linux appliance auth bypass patterns; no direct Aria-specific rule found — Splunk rule is primary coverage |
| Sigma | None found | No direct Sigma rule for VMware Aria Operations exploitation; monitor with custom rule on appliance process telemetry |
Sources
- CISA — Adds Two Known Exploited Vulnerabilities to Catalog (2026-03-03) — Published 2026-03-03
- Broadcom Security Advisory CVE-2026-22719 — Published 2026-02-28
- The Hacker News — CISA Adds Actively Exploited VMware Aria Operations Flaw to KEV — Published 2026-03-03
5. Juniper Junos OS Evolved PTX — Pre-Auth RCE via Exposed Anomaly Detection Framework
Summary
watchTowr Labs confirmed that the On-Box Anomaly Detection Framework in Junos OS Evolved PTX Series is listening on TCP/8160 bound to 0.0.0.0 — despite Juniper’s advisory claiming it “should only be reachable by internal processes.” The API server (/usr/sbin/monitor/api_server.py) is reachable externally and enables unauthenticated root code execution. CVSS 9.8. Affects Junos OS Evolved 25.4 before 25.4R1-S1-EVO.
What’s New (Last 24 Hours)
watchTowr published a full technical writeup on 2026-03-03 confirming the misconfigured binding, providing the service port/process path, and demonstrating that “should be internal” was aspirational. Juniper issued an out-of-cycle security bulletin with patched versions.
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|---|---|---|---|
| Inbound TCP/8160 to Junos OS Evolved PTX devices from non-management subnets | TTP | T1190 | Firewall / network flow logs | Hunt for inbound connections to TCP/8160 on PTX infrastructure; prioritize first-seen IPs and repeated probing patterns |
/usr/sbin/monitor/api_server.py (On-Box Anomaly Detection API server process) | TTP | T1059 | Device process telemetry / management-plane EDR | Baseline this service; alert on unexpected child-process spawns or anomalous command strings from the API process |
Potential Detection Coverage Based on MITRE ATT&CK Technique
| Source | Detections | Coverage |
|---|---|---|
| Splunk | Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint | Indirect — covers web-facing service exploitation pattern but is Ivanti-specific; no direct Junos rule found. Build custom rule on TCP/8160 inbound. |
| Elastic | Accepted Default Telnet Port Connection | Covers non-standard port inbound connections — logic adapts to TCP/8160 monitoring but no direct rule exists |
| Sigma | Abusable DLL Potential Sideloading From Suspicious Location | Not directly applicable; no Sigma rule for Junos OS Evolved network service exploitation. Firewall rule for TCP/8160 is the primary detection lever. |
Sources
- watchTowr Labs — Junos OS Evolved CVE-2026-21902 Pre-Auth RCE — Published 2026-03-03
- Juniper Out-of-Cycle Security Bulletin CVE-2026-21902 — Published 2026-02-26
6. Cisco Catalyst SD-WAN — Pre-Auth PoC Enabling Rogue Peer + NETCONF Admin Access
Summary
A public PoC repository for CVE-2026-20127 was posted, demonstrating a pre-authentication vulnerability in Cisco Catalyst SD-WAN Controller (vSmart) and Manager (vManage). The exploit creates a rogue peer on the management/control plane, bypasses authentication entirely, and grants administrative access including NETCONF on port 830 for full fabric configuration manipulation. Reportedly exploited since 2023 by threat cluster UAT-8616.
What’s New (Last 24 Hours)
A public working PoC repo (zerozenxlabs/CVE-2026-20127) was posted 2026-03-04, lowering the exploitation bar significantly. UAT-8616 is described as a “highly sophisticated” actor that has been using this zero-day since 2023.
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|---|---|---|---|
| Inbound TCP/830 (NETCONF) from first-seen or unexpected source IPs | TTP | T1133 | Firewall / network flow logs | Hunt for new inbound NETCONF sessions to SD-WAN components; correlate with subsequent config changes or new peer additions |
| Unexpected new SD-WAN peer joining the management/control plane | TTP | T1190 | Cisco SD-WAN audit/config logs | Alert on newly-added peers or controllers outside approved maintenance windows; triage trust relationship changes |
Potential Detection Coverage Based on MITRE ATT&CK Technique
| Source | Detections | Coverage |
|---|---|---|
| Splunk | Ivanti VTM New Account Creation | Covers unexpected account/peer creation on network appliances — logic maps to SD-WAN unauthorized peer creation, though Ivanti-specific. No direct Cisco SD-WAN rule found. |
| Elastic | None found | No Elastic rule for Cisco SD-WAN exploitation; monitor via network flow logs for TCP/830 anomalies |
| Sigma | FortiGate - New VPN SSL Web Portal Added | Analogous pattern (unexpected network gateway config change) — no Cisco SD-WAN specific Sigma rule exists; build custom on NETCONF session logs |
Sources
- @Dinosn on X — CVE-2026-20127 working PoC — Published 2026-03-04
- GitHub — zerozenxlabs/CVE-2026-20127---Cisco-SD-WAN-Preauth-RCE — Published 2026-03-04
7. MajorDoMo — Three Unauthenticated RCE Metasploit Modules Published
Summary
Three Metasploit modules for unauthenticated RCE in MajorDoMo (a popular Russian open-source smart home platform) landed in a single PR on 2026-03-03, covering console eval via missed redirect, command injection via cycle_execs.php, and supply-chain RCE via update URL poisoning in the saverestore module. Public weaponization dramatically increases opportunistic exploitation risk for any internet-exposed MajorDoMo instances.
What’s New (Last 24 Hours)
Metasploit PR #21000 added three fully-documented unauthenticated RCE modules with Docker lab setups. All three modules have distinct exploit paths and are independently weaponizable.
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|---|---|---|---|
rc/index.php (unusual POST parameters or eval strings) | TTP | T1190 | Web server access logs | Hunt for anomalous POSTs to rc/index.php — especially with console/eval-style parameters — followed by php spawning sh/cmd/powershell |
cycle_execs.php (bursty requests from untrusted IPs) | TTP | T1190 | Web server access logs | Alert on burst request patterns to cycle_execs.php from non-admin IPs; pivot to server-side process execution telemetry for child process spawns |
saverestore module outbound fetches to unknown domains | TTP | T1190 | App logs / outbound proxy / DNS logs | Inventory configured update URLs in MajorDoMo; alert on unexpected outbound fetches and follow-on execution from downloaded files |
Potential Detection Coverage Based on MITRE ATT&CK Technique
| Source | Detections | Coverage |
|---|---|---|
| Splunk | Spring4Shell Payload URL Request | Covers web-based RCE payload URL patterns — indirect; no MajorDoMo-specific rule. Custom web log rule on rc/index.php and cycle_execs.php is the primary lever. |
| Elastic | Windows Server Update Service Spawning Suspicious Processes | Covers update service spawning unexpected processes — maps to saverestore update URL poisoning vector if running on Windows |
| Sigma | None found | No Sigma rule for MajorDoMo; build custom detection on web access logs for exploit path patterns |
Sources
- GitHub — Metasploit PR #21000: Add three MajorDoMo unauthenticated RCE modules — Published 2026-03-03
8. MuddyWater — Fresh C2 IOCs: Custom UDP/1269 “Key C2” + Blockchain PS1 Loader
Summary
Researcher @nahamike01 identified a new MuddyWater open directory (157.20.182[.]49:8000) exposed in mid-February, with over 1,000 staged files. Key artifacts: a custom C2 server called “Key C2” operating on UDP/1269, a PowerShell dropper (reset.ps1) executing obfuscated JavaScript, downloading Node.js v18.17.0, and communicating with blockchain-based infrastructure at 185.236.25[.]119:3001. Tsundere Botnet panels were identified on the same C2 IP. UAE engineering company NMDC Group appears to be a newly-identified target.
What’s New (Last 24 Hours)
Fresh IOC cluster posted on 2026-03-03 via pivot on FMAPP.exe in HuntIO Attack Capture — new C2 IPs, a unique PowerShell hash, and a non-standard UDP C2 port not previously associated with MuddyWater.
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|---|---|---|---|
157.20.182[.]49 | IOC | T1071.001 | Firewall / network flow logs | Block and alert on any outbound connection to this IP; pivot on historical connections to identify compromised endpoints |
185.236.25[.]119 | IOC | T1071.001 | Firewall / network flow logs | Block/alert on 185.236.25.119 across ports 80, 3000, and 3001 — active Tsundere Botnet panels and MuddyWater C2 |
7ab597ff0b1a5e6916cad1662b49f58231867a1d4fa91a4edf7ecb73c3ec7fe6 (reset.ps1) | IOC | T1059.001 | EDR file / email gateway telemetry | Hunt for this SHA-1 hash; the script downloads Node.js, executes obfuscated JS, and communicates with blockchain C2 |
| Outbound UDP/1269 from endpoints or servers | TTP | T1095 | Firewall / network flow logs | Alert on outbound UDP/1269 — non-standard port used by MuddyWater’s custom “Key C2” framework |
Potential Detection Coverage Based on MITRE ATT&CK Technique
| Source | Detections | Coverage |
|---|---|---|
| Splunk | Detect Empire with PowerShell Script Block Logging | Covers obfuscated PowerShell execution patterns via script block logging — maps to reset.ps1 obfuscated JS execution |
| Elastic | Potential PowerShell Obfuscated Script via High Entropy | Detects high-entropy obfuscated PowerShell — directly applicable to the obfuscated JavaScript payloads inside reset.ps1 |
| Sigma | Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell | Covers obfuscated IEX invocations commonly used in the obfuscated JS/PS payload execution chain |
Sources
- @nahamike01 on X — MuddyWater open directory + new IOCs — Published 2026-03-03