InfoSec Briefing - February 27, 2026

🎧 Audio Briefing

Playback Speed:

Yesterday's security developments from Thursday, February 26, 2026. We're covering 4 articles today. All attribution is by the article authors. All article analysis is automated.

A security researcher at kmsec.uk has published findings on tracking North Korean APT group FAMOUS CHOLLIMA's IP addresses by exploiting vulnerabilities in temporary email services used to register malicious npm accounts. The analysis revealed the group's operational infrastructure between July 2025 and January 2026, showing their use of VPNs like Astrill and hide.me, along with network providers including China Unicom and TransTeleCom Russia for distributing malware through the npm software supply chain.

Censys has disclosed details about ResidentBat, an Android spyware implant developed by the Belarusian KGB and discovered in December 2025. The malware has been targeting journalists and civil society members since at least 2021, requiring physical device access for installation and enabling comprehensive surveillance including exfiltration of SMS, call logs, encrypted messages, recordings, and screen captures through command and control infrastructure located in Europe and Russia. Detection involves monitoring TLS connections with CN=server certificates on ports 7000 through 7257 and implementing physical access controls.

Cisco Talos has identified a new malware campaign called Dohdoor, operated by threat actor UAT-10027, targeting U.S. education and healthcare organizations since December 2025. The malware uses DNS-over-HTTPS for command and control communications through Cloudflare infrastructure and employs EDR bypass techniques by unhooking ntdll.dll to execute payloads reflectively, potentially delivering Cobalt Strike beacons.

Infoblox has reported that threat actors are exploiting the .arpa top-level domain, normally reserved for infrastructure, to host phishing content by creating A records for reverse DNS names in IPv6 address space instead of expected PTR records. The campaign bypasses traditional security measures because .arpa domains have inherently clean reputations and are implicitly trusted for internet infrastructure, coordinating abuse of free IPv6 tunnels with DNS providers that permit A record creation for .arpa domains.

That concludes today's briefing.

📰 Articles Covered

Tracking DPRK operator IPs over time - kmsec.uk (individual security researcher)

The cybersecurity article details how the author tracked the IP addresses of the North Korean (DPRK) operator group **FAMOUS CHOLLIMA** by analyzing their activity on the **npm platform** 【1】.

**What Happened:**
FAMOUS CHOLLIMA registered npm accounts using temporary email services and published malicious packages 【1】. A vulnerability in several of these temporary email services allowed for the viewing of mailbox contents via a specific URL, which exposed the IP addresses used by the operators 【1】. This enabled the author to compile a history of IP addresses and associated VPNs or network providers used by the group between July 2025 and January 2026 【1】.

**Who is Affected:**
The primary targets are **developers** and the **software supply chain** due to the distribution of malware through a popular software repository like npm 【1】.

**Security Implications:**
The main security implication is the **distribution of malware** through a widely used platform, posing a significant risk to users who might download these malicious packages 【1】.

**Technical Details:**
The operation involved exploiting **insecure temporary email services** to gain access to operator IP addresses 【1】. Specific domains were used for account registration, and various IP addresses were identified, linked to VPNs such as **Astrill and hide.me**, as well as network providers like **China Unicom and TransTeleCom Russia** 【1】.

**What Defenders Should Know:**
Defenders should be aware of FAMOUS CHOLLIMA's tactics, specifically their **reliance on temporary email services and VPNs** 【1】. It is also crucial to understand that these temporary email services can be compromised, revealing valuable intelligence 【1】. The article suggests that platforms like npm should implement stricter measures against temporary email sign-ups, as they are frequently abused 【1】. Monitoring IP addresses associated with such activities is highlighted as an actionable indicator of compromise 【1】.
ResidentBat: Belarusian KGB Android Spyware at Internet Scale - Censys - Censys

ResidentBat is an **Android spyware implant** developed by the **Belarusian KGB**, with its development dating back to at least 2021 【1】. It was discovered in December 2025 by Reporters Without Borders (RSF) and RESIDENT.NGO 【1】.

**What Happened:**
The spyware enables **long-lived surveillance and remote control of targeted devices** 【1】. It is designed to exfiltrate sensitive data and can also remotely wipe the device 【1】.

**Who is Affected:**
The primary targets of ResidentBat are **journalists and civil society members** 【1】.

**Security Implications:**
The spyware poses a significant threat by allowing for the **compromise of sensitive personal and professional information**, including SMS messages, call logs, encrypted messenger traffic, microphone recordings, screen captures, and locally stored files 【1】. The ability to remotely wipe a device also means potential data loss for the victim 【1】.

**Technical Details:**
- **Installation:** ResidentBat is not distributed through its Command and Control (C2) servers. Instead, it requires **physical access to the target device**, ADB sideloading, manual granting of permissions, and disabling of Google Play Protect for installation 【1】.
- **C2 Infrastructure:** The C2 infrastructure is mainly located in **Europe and Russia** 【1】.
- **Indicators:** Technical indicators include self-signed certificates with `CN=server`, a consistent TLS/HTTP banner hash, and communication over HTTPS within a narrow port range of **7000-7257** 【1】.

**What Defenders Should Know:**
Defenders should be aware of the following to detect and prevent ResidentBat infections:
- **Network-based Detection:** Monitor TLS connections to servers with `CN=server` certificates on ports 7000-7257 and utilize banner hashes for blocking or alerting 【1】.
- **Device-based Detection:** Watch for signs of ADB usage, sideloaded packages, disabled Google Play Protect, and sensitive permissions granted to unfamiliar applications 【1】.
- **Prevention:** **Physical access and supply-chain security are critical**. Defenders should disable USB debugging, avoid untrusted sideloading sources, and consider Android Advanced Protection Mode for high-risk individuals 【1】.
New Dohdoor malware campaign targets education and health care - Cisco Talos

A new malware campaign, named **Dohdoor**, has been identified by Cisco Talos, targeting organizations primarily in the **education and health care sectors** within the United States 【1】. This campaign has been active since at least **December 2025** 【1】.

**What Happened:**
The threat actor, identified as UAT-10027, employs a multi-stage attack chain that is believed to initiate through **social engineering phishing techniques** 【1】. The core of the campaign is the Dohdoor malware, a previously unknown backdoor 【1】.

**Who is Affected:**
The primary targets of this campaign are organizations within the **education and health care industries**, with a focus on those located in the **United States** 【1】.

**Security Implications:**
Dohdoor poses significant security risks due to its sophisticated methods for **command-and-control (C2) communications and payload execution** 【1】. It utilizes **DNS-over-HTTPS (DoH)** to disguise its C2 traffic through legitimate cloud services like Cloudflare, making detection challenging 【1】. Furthermore, the malware can **bypass Endpoint Detection and Response (EDR) solutions** by employing an unhooking technique that restores system call stubs in `ntdll.dll` 【1】. This allows it to execute payloads reflectively, with indications that **Cobalt Strike beacons** might be used 【1】. There are also low-confidence similarities noted between UAT-10027 and North Korean APT actors, such as Lazarus, due to custom decryption techniques, NTDLL unhooking, and the use of DoH 【1】.

**Technical Details of Dohdoor:**
- **C2 Communication:** Employs **DNS-over-HTTPS (DoH)** to mask C2 traffic through reputable services like Cloudflare 【1】.
- **Execution:** Leverages **living-off-the-land binaries (LOLBins)** for sideloading and process hollowing to inject malicious payloads into legitimate Windows processes 【1】.
- **EDR Evasion:** Utilizes an **unhooking technique** to restore system call stubs in `ntdll.dll`, thereby bypassing EDR solutions 【1】.
- **Payload Delivery:** Decrypts and executes payloads **reflectively** 【1】.
- **Potential Tools:** Evidence suggests the potential use of **Cobalt Strike beacons** 【1】.

**What Defenders Should Know:**
Defenders need to be aware of and vigilant against the techniques employed by Dohdoor, including:
- **Obfuscated C2 Communications:** The use of DoH makes traditional network-based detection of C2 traffic more difficult 【1】.
- **EDR Bypass Methods:** The unhooking technique used to evade EDR solutions requires advanced detection capabilities 【1】.
- **LOLBin Usage:** The reliance on legitimate system binaries for malicious purposes can make it harder to distinguish malicious activity from normal system operations 【1】.
- **Disguised DLLs and Obfuscation:** The malware likely uses these methods to hide its presence and functionality 【1】.

Cisco Talos has provided **ClamAV signatures and SNORT rules** to aid in the detection and blocking of this threat 【1】.
Abusing .arpa: The TLD That Isn’t Supposed to Host Anything - Infoblox

A recent phishing campaign has been discovered that exploits the **.arpa top-level domain (TLD)**, which is normally reserved for infrastructure purposes and not intended to host content 【1】.

**What Happened:**
Threat actors are leveraging **reverse DNS strings within the .arpa TLD** to host phishing content 【1】. They achieve this by obtaining IPv6 address space and creating **A records for reverse DNS names** instead of the expected PTR records. This allows them to host malicious content on domains that should not resolve to an IP address 【1】. The phishing emails impersonate well-known brands and use hyperlinked images that redirect victims through a traffic distribution system (TDS) to the malicious phishing pages 【1】. This campaign also utilizes other tactics such as hijacking dangling CNAMEs and subdomain shadowing 【1】.

**Who is Affected:**
The phishing campaign **affects users who receive these deceptive emails** and are tricked into clicking on the malicious links, potentially leading to credential theft or other forms of compromise 【1】. While specific customer traffic to these .arpa domains hasn't been observed, passive DNS data indicates queries to numerous IPv6 and IPv4 reverse DNS domains, including those used in the phishing emails 【1】.

**Security Implications:**
The primary security implication is that **traditional security measures are bypassed** 【1】. Because .arpa domains are implicitly trusted for internet infrastructure, they have an inherently clean reputation, lack registration information, and are typically not blocked by security policies 【1】. This makes it difficult for security systems that rely on domain reputation, registration data, or blocklists to detect and prevent these attacks 【1】.

**Technical Details:**
The attack involves the **coordinated abuse of two services**:
- Obtaining a free **IPv6 tunnel** 【1】.
- Using DNS providers that permit the creation of **A records for .arpa domains** 【1】.
Providers like Hurricane Electric and Cloudflare have been observed being used in the creation of these malicious records 【1】. The threat actors are essentially using reverse DNS lookups to host phishing content, a function for which these domains were not designed 【1】.

**What Defenders Should Know:**
Defenders need to be aware that **standard security controls based on domain reputation, registration information, or policy blocklists are ineffective** against this specific .arpa abuse technique 【1】. Security teams should monitor for indicators of compromise, such as the specific IPv6 reverse DNS domains and TDS domains identified in the campaigns 【1】. Understanding the mechanics of this abuse, particularly the use of IPv6 tunnels and the creation of A records in .arpa, is crucial for developing new detection and mitigation strategies 【1】.