Threat Research

    Researcher assesses UAT-7810 as a China-nexus APT that provides infrastructure support to other China-aligned threat actors, including UAT-5918. The group continues to enhance its custom malware ecosystem with LONGLEASH, DOGLEASH(shellcode-executing backdoor), LEASHTEST, and the Java-based JARLEASH backdoor....
    A financially motivated Vidar Stealer MaaS affiliate conducted a large-scale malvertising campaign targeting users in the U.S. and European Union with fake cracked software downloads....
    Since May 2026, a suspected China-aligned threat cluster named UNK_MassTraction has targeted Roundcube mailservers. The campaign specifically targets physics and engineering departments at US and Canadian universities. High-value targets include entities with national security ties or those studying astrophysics and particle physics....
    Millenium RAT v4 is a C++-based Remote Access Trojan (RAT) offered as a Malware-as-a-Service (MaaS) by the developer ShinyEnigma and actively deployed by the Y2K Operators threat cluster....
    Researchers identified a social engineering campaign impersonating the Indian Income Tax Department to deliver the ValleyRat Remote Access Trojan (RAT) through a multi-stage infection chain involving a malicious VHDX, DLL SideLoading, and encrypted in-memory payload execution....
    Salat Stealer is a stealthy, Go-based infostealer designed to compromise systems and extract data. It performs deep reconnaissance, profiling hardware, active processes, and environmental attributes. Moving beyond standard theft, it enables live desktop streaming and webcam/microphone monitoring....
    Researchers identified a large network of pirated sports streaming websites exploiting the popularity of the FIFA World Cup through mirror domains, cloud-hosted infrastructure, and domain rotation techniques to evade takedowns. The campaign also distributes fake Stremio installers (APK/EXE) and VPN-themed lures, exposing users to malware, scams, and affiliate-driven downloads....
    TeamPCP is a financially motivated cybercriminal group responsible for large-scale software supply chain attacks targeting trusted developer and security tools, including Trivy, KICS, LiteLLM, and the Telnyx Python SDK. By injecting malicious code into legitimate packages, the group deployed credential stealers, persistent backdoors, and self-propagating malware....
    Threat Discovery: A new phishing campaign has been uncovered, tied to an APT group dubbed Armored Likho (also known as Eagle Werewolf). Target Sectors: This targeted campaign focuses heavily on government agencies and the electric power sector. Global Footprint: The attacks span Russia, Brazil, and Kazakhstan, establishing the group as a global threat actor....
    We are tracking a 28-day Malware-as-a-Service (MaaS) campaign abusing the Polygon blockchain for resilient C2 configuration. The attack utilizes a ClickFix lure, with over 130 compromised websites detected so far. Injected with a "JokerStat Analytics Tracker" script, compromised sites exfiltrate screenshots and session telemetry every 2 minutes....
    Just as human users can be socially engineered through phishing, AI agents are also susceptible to similar attacks. Threat actors are leveraging Indirect Prompt Injection (IPI) to embed hidden malicious instructions into websites, including those impersonating payment services and cryptocurrency platforms, to manipulate AI agents during task execution....
    In May 2026, Threat Labs detected an Ousaban banking Trojan campaign targeting Spain and Portugal. The malware, historically active in Brazil, is delivered using a malicious MSI downloader. Phishing PDFs trick victims into visiting a webpage that scans their geographic location. If the user is in the target region, the site downloads an initial VBS script....
    ARToken is a sophisticated Phishing-as-a-Service (PhaaS) platform closely linked to the EvilTokens ecosystem, providing affiliates with a comprehensive toolkit for Microsoft 365 account compromise....
    A malicious campaign is distributing a fake Google Notes browser extension that silently steals cryptocurrency by replacing copied wallet addresses with attacker-controlled ones during transactions....
    A scam campaign is using 2026 FIFA World Cup "Champion Reward" survey lures to steal PII and payment card details. The phishing emails are sent from `adfluxi[.]com`, pass authentication, and have no official affiliation with FIFA. Malicious URLs detect sandboxes and non-US visitors, actively redirecting them to harmless decoy sites....
    Looking for Something?
    Threat Research Categories:
    Tags