Backdoor
-
New Linux PamDOORa backdoor sold on cybercrime forum, researchers say
Researchers disclosed PamDOORa, a Linux backdoor sold on a Russian cybercrime forum for up to $1,600. The PAM-based tool can provide persistent SSH access, harvest credentials and tamper with logs, though no real-world use has been seen.
-
WordPress redirect plugin hid dormant backdoor for years
A WordPress redirect plugin installed on more than 70,000 sites hid a dormant backdoor for years, according to a technical analysis by Anchor. The issue involved a hidden update path and a tampered build from an external server.
-
Smart Slider update hijacked to push malicious WordPress and Joomla versions
Hackers hijacked the Smart Slider 3 Pro update system for WordPress and Joomla, pushing a malicious version that could create hidden admin accounts, install backdoors and steal credentials, according to the vendor and a technical analysis.
-
China-linked group embeds stealthy kernel backdoors in telecom networks, Rapid7 says
Security firm Rapid7 reported that a China-linked threat cluster known as Red Menshen has embedded kernel-level implants and stealthy backdoors such as BPFDoor inside telecommunications networks to gather intelligence while evading conventional detection.
-
DRILLAPP backdoor runs in Edge to target Ukrainian entities
A February 2026 campaign used a JavaScript backdoor called DRILLAPP that runs in Microsoft Edge to capture files, microphone audio, camera video and screen images via the browser.
-
New Russian-linked campaign uses BadPaw loader to deploy MeowMeow backdoor in Ukraine
A new cyber campaign targeted Ukrainian organizations using a .NET loader named BadPaw that deploys a MeowMeow backdoor after a phishing ZIP archive and HTA lure, with sandbox checks and persistence tactics.
-
Fake Next.js interview projects backdoor developer machines
Fake Next.js repositories and coding tests are being used to trigger remote code execution on developer machines. Malicious JavaScript runs when projects are opened or run then installs backdoors and exfiltrates data.
-
Black Cat uses SEO poisoning to distribute backdoor, compromises about 277,800 hosts in China
A CNCERT/CC and ThreatBook technical analysis links the Black Cat gang to an SEO poisoning campaign that pushed fake software downloads and implanted a backdoor, compromising about 277,800 hosts in China between December 7 and 20, 2025.
-
Malicious npm WhatsApp API ‘lotusbail’ found stealing tokens and linking attacker devices
A malicious npm package named lotusbail, downloaded more than 56,000 times, masquerades as a WhatsApp API while capturing authentication tokens, messages and contacts and linking an attacker device to victims’ WhatsApp accounts, Koi Security researchers said; ReversingLabs also disclosed related NuGet supply-chain malware.
-
GhostPoster campaign hid JavaScript in Firefox extension icons to load backdoor
Researchers at Koi Security uncovered the GhostPoster campaign, which hides a JavaScript loader inside Firefox extension icon images to fetch an obfuscated payload that can hijack affiliate links, inject tracking, strip security headers and conduct ad and click fraud; Mozilla said it removed the affected extensions and updated detection systems.
