Cyware Daily Threat Intelligence, February 26, 2026

In a stealthy twist on modern malware tradecraft, the Dohdoor campaign attributed to UAT-10027 is targeting U.S. education and healthcare organizations using DNS-over-HTTPS (DoH) for C2, DLL sideloading, process hollowing, and EDR bypass techniques.

ResidentBat, an Android spyware operation uncovered in December 2025 and attributed to the Belarusian KGB, enables highly targeted surveillance of journalists and civil society through physical device access, ADB sideloading, Google Play Protect disabling, and extensive data collection capabilities, including encrypted communications and remote device control.

Cisco has issued emergency patches for a critical Catalyst SD-WAN zero-day vulnerability (CVE-2026-20127) that allows authentication bypass and administrative takeover, with exploitation attributed to UAT-8616, and federal agenciesare urged to remediate within 48 hours.

Top Malware Reported in the Last 24 Hours

Dohdoor malware targets U.S. education and healthcare sectors

A new malware campaign named Dohdoor, attributed to the threat actor UAT-10027, targets the education and healthcare sectors in the United States. The campaign utilizes advanced techniques such as DNS-over-HTTPS (DoH) for command-and-control (C2) communication, DLL sideloading, process hollowing, and endpoint detection and response (EDR) bypass. Cisco Talos has identified technical overlaps between this campaign and North Korean APT groups like Lazarus, although the victim profile differs from their typical targets.

ResidentBat targets journalists with Belarusian KGB ties

ResidentBat is an Android spyware used by the Belarusian KGB for targeted surveillance of journalists and civil society, discovered in December 2025. It requires physical access for installation and provides extensive surveillance capabilities.  The spyware enables operators to access SMS, call logs, encrypted messenger traffic, microphone recordings, screen captures, and device files. It also allows remote device control, including data wiping. ResidentBat’s installation involves ADB sideloading, disabling Google Play Protect, and manual permission granting, making it highly targeted but limited in scale.

Top Vulnerabilities Reported in the Last 24 Hours

Critical Cisco zero-day vulnerability exposed

Cisco released emergency patches for a critical Catalyst SD-WAN zero-day vulnerability (CVE-2026-20127) that allows remote attackers to bypass authentication and gain administrative privileges. The flaw affects Catalyst SD-WAN Controller and Manager, enabling attackers to manipulate network configurations. Cisco provided patches and IoCs for organizations to detect malicious activity and urged federal agencies to patch within two days. Exploitation of the vulnerabilities is attributed to UAT-8616, a sophisticated cyber threat actor, though connections to known groups or countries are unclear.

ServiceNow AI Platform flaw allows remote code execution

ServiceNow identified CVE-2026-0542, a critical vulnerability in its AI Platform, enabling remote code execution without authentication. The vulnerability could expose sensitive workflow data, automation logic, and enterprise integrations. No active exploitation of the vulnerability has been detected as of February 25, 2026. ServiceNow released patches to address the issue, with updates available for both hosted and self-hosted customers. Organizations using ServiceNow are advised to apply the patches promptly, especially for internet-accessible systems.