Threat Research

UAT-8099 is a Chinese-speaking cybercrime group targeting high-value IIS servers in countries like India, Thailand, Vietnam, Canada, and Brazil to conduct SEO fraud and steal credentials, config files, and certificates. They use web shells, Cobalt Strike, and BadIIS malware to manipulate search rankings and maintain persistence....

In September 2025, our team uncovered a new multi-stage ClickFix campaign likely aimed at Russian civil society. The campaign is attributed with moderate confidence to the Russia-linked APT group COLDRIVER. COLDRIVER, also known as Star Blizzard or Callisto, is known for credential phishing and targeting NGOs, journalists, and activists....

Phantom Taurus is a newly identified Chinese nation-state APT group focused on espionage. Active for over two years, it targets government and telecom sectors in Africa, the Middle East, and Asia, especially ministries, embassies, and military operations. Known for its stealth and adaptive TTPs, the group uses a custom malware tool called NET-STAR....

The intrusion started with a JavaScript file linked to the Lunar Spider group, disguised as a tax form, which downloaded and executed Brute Ratel via an MSI installer. Throughout the attack, various malware strains were deployed, including Latrodectus, Brute Ratel C4, Cobalt Strike, BackConnect, and a custom .NET backdoor....

PhantomCard is an Android malware used in NFC relay attacks (ghost tapping) to steal payment card data and commit fraud at ATMs and POS terminals. It's spread via Telegram and possibly the Google Play Store, and is linked to Chinese-speaking cybercriminals targeting financial and retail sectors....

Software supply chain attacks are surging, as seen in the "Shai-Hulud" worm targeting npm. Attackers are harvesting developer credentials to publish malicious packages. This highlights the need for strong authentication and strict access controls. A defense-in-depth strategy with monitoring and threat detection is vital....

A recent phishing campaign targeting Ukraine uses malicious SVG files disguised as official government communication. When opened, the SVG file downloads a password-protected archive containing a CHM file, which triggers a chain of malware execution via HTA CountLoader....

We recently observed GhostNFC/NGate-style Android malware being advertised and distributed via multiple Chinese-language Telegram channels. The malware is delivered as an APK file hosted on external servers, bypassing the Google Play Store. Ongoing analysis continues to reveal new samples and indicators linked to this threat....

Our team identified an ongoing campaign, active since 2022, targeting telecommunications and manufacturing sectors in Central and South Asia, delivering a new PlugX variant. This variant shares features with both RainyDay and Turian backdoors, including DLL sideloading via legitimate apps and the XOR-RC4-RtlDecompressBuffer encryption technique....

During its incident response efforts, determined that cyber threat actors infiltrated the agency’s network on July 11, 2024, by exploiting a critical vulnerability—CVE-2024-36401 [CWE-95: “Eval Injection”]—in a public-facing GeoServer instance (referred to as GeoServer 1)....

In March 2025, we identified an SEO poisoning campaign, likely operated by a Chinese-speaking threat actor, dubbed “Operation Rewrite.” This activity cluster, tracked as CL-UNK-1037, overlaps with known campaigns like “Group 9” and “DragonRank.” Attackers used a malicious IIS module called BadIIS to hijack web traffic via compromised servers....

Since April 2025, we've observed a surge in email phishing targeting Japanese speakers. These campaigns impersonate companies like Amazon, Apple, and Japan Airlines. Emails often appear as fake purchase notices or safety alerts with convincing phishing links. Early attacks included fake Amazon CAPTCHA pages to steal user credentials....

As of mid-September 2025, GOLD SALEM has named 60 victims, placing it mid-tier among active ransomware groups. Its targets range from small entities to major multinational firms across North America, Europe, and South America. Consistent with typical ransomware behavior, the group has mostly avoided victims in China and Russia....

Cyber threat actors exploited Ivanti EPMM systems by chaining two vulnerabilities—CVE-2025-4427 (authentication bypass) and CVE-2025-4428 (code injection)—to gain initial access. Around May 15, 2025, they targeted the /mifs/rs/api/v2/ endpoint using crafted HTTP GET requests and the ?format= parameter to execute remote commands....

The Clickfix HijackLoader phishing campaign highlights the growing threat of attack loaders in modern cyberattacks. Since mid-2025, attackers have used Clickfix to trick victims into downloading malicious .msi installers, leading to the execution of HijackLoader—a sophisticated Malware-as-a-Service tool....