An undislcosed organization
March 12, 2026
•[ ransomware, social engineering, data theft ]
IBM X-Force described a case where a threat actor remained on a compromised server for more than a week and stole data during an Interlock ransomware intrusion. The attack began with ClickFix social engineering and later deployed a PowerShell backdoor called Slopoly (likely AI-assisted), alongside other components such as NodeSnake and InterlockRAT. The article is a case-study/campaign description and does not name the victim organization or quantify the affected records beyond describing persistence and data theft.
Undisclosed U.S. aerospace and defense firm
March 6, 2026
•[ backdoor, data exfiltration, nation-state actor ]
SecurityWeek summarized Broadcom Symantec/Carbon Black reporting that Iran-linked MuddyWater (also known as Seedworm/Mango Sandstorm and linked to Irans MOIS) had established presence in multiple organizations networks, including a US airport, a US bank, an NGO operating in the US and Canada, an aerospace and defense contractor, and a software company with a presence in Israel. The report said MuddyWater deployed a new backdoor called Dindoor in several environments and a Python backdoor called Fakeset in others, and attempted to exfiltrate data from the software companys Israeli branch.
Undisclosed U.S. organization
February 1, 2026
•[ cyber espionage, APT, backdoor ]
HackRead reported that researchers linked a campaign observed in early February 2026 to Iran-aligned APT MuddyWater, described as operating under Irans Ministry of Intelligence and Security. The report stated attackers infiltrated networks of several U.S. organizations across sectors (including banking and aviation) and an Israeli software development services operation, maintaining persistence and using a new custom backdoor called Dindoor to remotely issue commands and sustain access. The article describes espionage tradecraft and persistence but does not list specific victims or confirm specific data stolen.
At least one US government official
January 19, 2026
•[ spearphishing, espionage, DLL sideloading ]
HackRead summarized Acronis research describing an espionage-oriented spearphishing campaign targeting U.S. government entities using Venezuela-related news as bait. The described chain used a lure archive and DLL sideloading to load a backdoor dubbed LOTUSLITE, enabling remote access actions such as file collection and command execution on compromised systems. The article stated the researchers attributed the activity with moderate confidence to the China-backed group Mustang Panda (aka HoneyMyte).
Gen Digital
November 3, 2025
•[ spear-phishing, malware, backdoor ]
Gen Digital reported that the North Korea-linked Kimsuky group used spear-phishing emails carrying a fake VPN invoice ZIP archive to compromise at least one South Korean victim and deploy a new HttpTroy backdoor. Execution of the malicious SCR file launches a three-stage chain (dropper, MemLoad loader and HttpTroy DLL) that displays a decoy PDF while silently establishing persistence via a scheduled task masquerading as an AhnLab update. HttpTroy then connects to a remote command-and-control server and gives the attackers full remote-access capabilities, including file transfer, command execution, reverse shell, process control and screenshot capture.
At least one official in Ukraine's Defense Forces
October 1, 2025
•[ phishing, malware, backdoor ]
BleepingComputer reported that officials of Ukraines Defense Forces were targeted in a charity-themed operation between October and December 2025 that delivered a backdoor malware family called PluggyApe. CERT-UA assessed the activity as likely linked to the Russian-aligned threat group known as Void Blizzard (also referred to as Laundry Bear), with medium confidence in attribution. The infection chain described begins with instant messages over Signal or WhatsApp directing targets to a purported charity website and prompting them to download a password-protected archive containing documents, which then leads to backdoor execution and follow-on access for information theft. The report focuses on the campaigns TTPs and targeting rather than publishing a confirmed list of compromised entities.
Undisclosed financial institutions (ATM network)
July 30, 2025
•[ backdoor, financial theft, atm hacking ]
Infosecurity reports cybercriminals used Raspberry Pi devices to install a backdoor in ATM networks to steal funds.
Juniper Networks Routers
March 12, 2025
•[ backdoor ]
Chinese group UNC3886 deployed custom backdoors on outdated Juniper MX routers.
United Arab Emirates Government Entities
March 4, 2025
•[ malware, backdoor ]
Researchers reported Sosano backdoor used against UAE aviation and transport organizations.
Multiple Organizations in Asia
February 6, 2025
•[ espionage, backdoor, credential theft ]
Evasive Panda, a Chinese state-sponsored group operating under the Ministry of State Securitys Guangdong State Security Department / Technical Reconnaissance Bureau, deployed a custom SSH backdoor across enterprise network devices to exfiltrate credentials and maintain long-term covert access in espionage operations identified by Cisco Talos in February 2025.
At least one undisclosed government and/or tech company
November 4, 2024
•[ state-sponsored, malware, backdoor ]
Government cybersecurity reporting described PRC state-sponsored actors using BRICKSTORM malware to maintain long-term persistence in victim environments, primarily affecting government services/facilities and IT sector organizations. In a documented case, actors accessed a DMZ web server (with a web shell present), moved laterally using service account credentials, copied Active Directory databases, pivoted into VMware vCenter, accessed domain controllers and an ADFS server, and exported cryptographic keys. BRICKSTORM provided stealthy backdoor access for command-and-control and remote operations and was used for persistence from at least April 2024 through at least September 3, 2025. The specific victim organization name was not disclosed in the reporting.
Organizations in Myanmar
January 15, 2024
•[ espionage, backdoor, malware ]
Mustang Panda leveraged mavinject.exe and DLL side-loading to inject a ToneShell family backdoor into processes on targeted Myanmar organisation endpoints to enable espionage and persistent access.
