Threat Research

UAT-7237 is a Chinese-speaking APT group active since at least 2022, with strong links to UAT-5918. It recently targeted web infrastructure entities in Taiwan, using heavily customized open-source tools to evade detection and maintain long-term persistence in high-value environments....

Dodi Repacks is a site known for distributing pirated games. It has a reputation for being safe or trustworthy on several piracy forums, where users frequently claim that using an adblocker like uBlock Origin ensures a secure experience. To test this assertion, a team attempted to download a game crack from the site with uBlock Origin enabled in the browser....

A malicious campaign has been discovered using the fake domain ‘telegrampremium[.]app’ to impersonate the official Telegram Premium platform. The site delivers a file named ‘start.exe’ that contains a new variant of the Lumma Stealer malware. This sophisticated trojan can steal browser credentials, cryptocurrency wallet data, and system information....

An ongoing 2025 malvertising campaign is delivering a multi-stage malware framework dubbed PS1Bot, developed using PowerShell and C#. The malware supports in-memory execution, persistence, and modular capabilities including info-stealing, keylogging, and screen capturing. It minimizes forensic artifacts by avoiding disk writes....

The article analyzes CVE-2025-32433, a critical unauthenticated remote code execution (RCE) vulnerability in the SSH daemon of Erlang/OTP, widely used in critical infrastructure and operational technology (OT) networks. The flaw allows attackers to send unauthorized SSH protocol messages to execute commands without authentication....

A recent ransomware attack revealed distinct tactics by the BlackSuit group, believed to be a rebrand of Royal, which evolved from Conti. They used tools like Cobalt Strike, rclone, RDP, psexec, and vssadmin in a multi-stage operation targeting data exfiltration and encryption. BlackSuit uniquely exfiltrates and deletes some data before encryption to speed up the process....

RedHook is a sophisticated Android banking trojan targeting Vietnamese users via fake government and financial websites. It uses WebSocket to connect to its command server and supports over 30 remote commands for full device control. Developed likely by a Chinese-speaking group, it remains stealthy with low antivirus detection....

On July 19, researchers detected a surge of HTTP probes aimed at Rejetto HTTP File Server (HFS) 2.x systems, revealing a coordinated spray‑and‑pray campaign exploiting a critical unauthenticated server‑side template injection (SSTI) vulnerability (CVE‑2024‑23692, CVSS 9.8) that permits arbitrary command execution via a single crafted request....

In early July 2025, a new variant of the DarkCloud malware campaign was detected. This latest attack began with a phishing email containing a malicious RAR archive attachment. DarkCloud, first identified in 2022, is a stealthy Windows-based information stealer designed to harvest sensitive data such as login credentials, financial details, and contacts....

Researchers recently identified changes in DarkCloud Stealer’s distribution and obfuscation techniques, first observed in April 2025. These methods include a new infection chain with ConfuserEx obfuscation and a final payload written in Visual Basic 6 (VB6). Previous attacks linked to DarkCloud Stealer also used AutoIt for evasion, detailed in our earlier report....

Detects the exploitation of SharePoint servers through ToolShell CVE-2025-53770. The previous related CVEs are CVE-2025-49706 and CVE-2025-49704. CVE-2025-53770 introduces a new and stealthy webshell, known as SharpyShell, which extracts and leaks cryptographic secrets from the SharePoint server via a basic GET request....

Tracks ToolShell exploitation activity targeting SharePoint servers, including updated IOCs linked to CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771. Observed threat actors: Linen Typhoon, Violet Typhoon, and Storm-2603....

"Project AK47: Uncovering a Link to the SharePoint Vulnerability Attacks" details the connection between a threat activity cluster tracked as CL-CRI-1040 and recent exploitation of SharePoint vulnerabilities. This cluster deploys a toolset named Project AK47, which includes a backdoor, ransomware, and loaders....

Bumblebee malware has been used for initial access since 2021, with SEO poisoning reported as a delivery method in 2023. In 2025, campaigns impersonating IT tools delivered trojanized software, leading to Bumblebee infections and Akira ransomware deployment. Threat actors leveraged this access to move laterally, steal credentials, install persistent tools, and exfiltrate data....

A new Android malware campaign targets Hindi-speaking users in India by impersonating popular banking apps. Spread via phishing websites, it steals personal and financial data and secretly mines Monero cryptocurrency using XMRig, triggered by Firebase Cloud Messaging....