Threat Research

"Operator Bloopers: Cobalt Strike Commands" refers to the accidental use of Cobalt Strike commands in the CMD shell, which can potentially expose the attacker's activities. These mistakes may lead to detection by security systems and compromise the stealth of the operation....

Web-based credit card skimming remains a persistent and evolving threat. Labs uncovered a campaign called “RolandSkimmer,” targeting users in Bulgaria via malicious browser extensions on Chrome, Edge, and Firefox. The attack begins with a deceptive LNK file that executes obfuscated scripts for persistence....

Earth Alux, an advanced persistent threat (APT) group, employs sophisticated techniques for cyberespionage, primarily using the VARGEIT and COBEACON backdoors. They exploit vulnerable services, implant web shells like GODZILLA, and use methods such as debugger scripts, DLL sideloading, and timestomping to maintain control....

Since late 2024, attackers have used new phishing tactics involving QR codes, including hiding phishing links behind legitimate website redirects. Some also use Cloudflare Turnstile for user verification to evade security crawlers and lure victims to fake login pages. Certain phishing sites appear tailored to specific targets, indicating prior reconnaissance....

The threat actor gained initial access via a fake Zoom installer, deploying d3f@ckloader and IDAT loader to drop SectopRAT. After nine days, SectopRAT delivered Cobalt Strike and Brute Ratel, enabling lateral movement through remote services and RDP. To facilitate RDP movement, the attacker used QDoor, a malware with proxy capabilities....

HijackLoader, a malware loader first discovered in 2023, has been updated with new modules that enhance its evasion tactics. These include call stack spoofing to hide function call origins, anti-VM checks to detect analysis environments, and a module for establishing persistence through scheduled tasks....

Water Gamayun exploits the MSC EvilTwin zero-day (CVE-2025-26633) to compromise systems and steal data using custom payloads and exfiltration techniques. The attack deploys malicious provisioning packages, signed .msi files, and Windows MSC files, leveraging tools like IntelliJ runnerw.exe for execution....

A campaign targeting users in Ukraine is using malicious LNK files, which run a PowerShell downloader. These files are named with Russian words related to troop movements in Ukraine to lure victims. The downloader connects to geo-fenced servers in Russia and Germany to retrieve a second-stage Zip file containing the Remcos backdoor....

In 2021, researchers reported that PJobRAT, an Android RAT first seen in 2019, targeted Indian military personnel by mimicking dating and messaging apps. Since then, little has been reported—until a recent threat hunt uncovered a now-concluded campaign targeting users in Taiwan....

The blog highlights how malware creators exploit popular trends, such as "AI" and "DeepSeek," to deceive unsuspecting users into downloading malicious software. By manipulating search engine optimization (SEO) and using trending keywords, cybercriminals boost the visibility of malicious sites....

"CoffeeLoader: A Brew of Stealthy Techniques" is a sophisticated malware loader designed to deploy secondary payloads while evading detection by endpoint security software. It employs advanced techniques such as call stack spoofing, sleep obfuscation, and Windows fibers to avoid analysis....

DragonForce ransomware is a malicious program that encrypts files on compromised systems and demands a cryptocurrency ransom, typically in Bitcoin, for decryption. It spreads through phishing emails, malicious websites, and system vulnerabilities. While it shares similarities with other ransomware variants, DragonForce exhibits distinct features and behaviors....

"New Android Malware Campaigns Evading Detection Using Cross-Platform Framework .NET MAUI" discusses how cybercriminals are exploiting the .NET MAUI framework to create malware that bypasses security measures. These threats disguise themselves as legitimate apps to steal sensitive information....

Trend Research uncovered a campaign by the Russian threat actor Water Gamayun exploiting a zero-day in the Microsoft Management Console (CVE-2025-26633). The attack manipulates .msc files and MUIPath to execute malicious code, maintain persistence, and steal data. This threat poses significant risks to enterprises, potentially leading to data breaches and financial losses....

"Cyber Threat Hunting in Healthcare, File Infectors, Botnets" expands on the initial investigation into Silver Fox, a Chinese threat actor abusing Philips DICOM viewers to deploy a backdoor trojan....