Threat Research

Webworm, a China-aligned APT group, has evolved its operations by shifting from traditional malware families toward stealthier custom tools and proxy-based techniques. In 2025, the group introduced new backdoors such as EchoCreep and GraphWorm, which abuse trusted platforms like Discord and Microsoft Graph API for command-and-control communication....

A Russian-speaking threat actor known as “bandcampro” operated a MAGA-themed Telegram channel (@americanpatriotus, ~17,000 subscribers) for five years before shifting to AI-driven fraud and credential theft in September 2025....

A large-scale CountLoader campaign was observed using heavily obfuscated, multi-stage infection chains involving PowerShell, JavaScript executed through mshta.exe, and in-memory shellcode injection to evade detection and maintain persistence....

This campaign demonstrates how ClickFix-style social engineering continues to evolve through abuse of legitimate Windows tooling and user-assisted execution workflows....

In recent years, the threat landscape has shifted as info stealers and keyloggers become dominant malware payloads. Whether acting alone or as loaders for broader attacks, these tools efficiently harvest sensitive data. VIP Keylogger exemplifies this threat, leveraging phishing and evasion tactics to bypass security controls....

The team has been tracking a large-scale extortion campaign by UNC6671, operating under the “BlackFile” brand. The group targets organizations using advanced voice phishing (vishing) and single sign-on (SSO) compromise techniques. By applying adversary-in-the-middle (AiTM) methods, UNC6671 bypasses traditional defenses and multi-factor authentication (MFA)....

Threat actors continue to abuse MSHTA (mshta.exe), a legacy Windows utility and Living-off-the-Land binary (LOLBIN), to execute malicious VBScript and JavaScript code while blending into legitimate system activity....

Threat actors are actively exploiting multiple vulnerabilities affecting Cisco Catalyst SD-WAN products, including the authentication bypass flaw CVE-2026-20182, which allows remote attackers to gain administrative access without authentication....

An investigation team mapped the full operational model of the "Banana RAT" banking trojan. Attributed to the threat cluster SHADOW-WATER-063, the malware targets Brazilian financial institutions. MDR reconstructed the entire attack chain by correlating server tooling and client payloads....

Steganography is rapidly gaining traction in the threat landscape. Instead of relying on direct encrypted transfers, attackers are increasingly hiding next-stage payloads inside everyday media files....

Gremlin Stealer is an evolving infostealer malware that uses advanced obfuscation techniques, including embedded resource concealment and commercial packers with instruction virtualization, to evade detection and analysis....

Our research examined the April 22 Checkmarx KICS and April 24 elementary-data incidents as part of a broader TeamPCP supply chain campaign involving at least seven confirmed waves. The KICS attack used multichannel poisoning across Docker Hub, VS Code/OpenVSX, and GitHub Actions, later enabling the hijack of @bitwarden/cli through stolen npm tokens....

In Q1 2026, an Iran-linked espionage campaign targeted at least nine organizations across four continents, affecting sectors such as manufacturing, education, finance, government, and professional services....

This campaign involves a trojanized version of the legitimate HWMonitor application used to deliver the STX RAT malware. The attackers leveraged DLL sideloading to execute malicious payloads through trusted binaries, helping evade detection....

CVE-2026-41940 is a severe authentication bypass flaw (CVSS score: 9.8) impacting cPanel and WHM. The vulnerability allows remote attackers to circumvent the authentication mechanism and obtain unauthorized access without requiring legitimate credentials....