Threat Research

Operation Olalampo is a 2026 cyber campaign attributed with high confidence to the Iranian APT group MuddyWater, targeting organizations and individuals primarily across the MENA region. The operation deployed new malware variants that maintain technical overlap with the group’s historical tooling, including one strain that used a Telegram bot for command-and-control (C2)....

Labs have uncovered targeted phishing campaigns in Taiwan that exploit local business workflows. The attacks deliver Winos 4.0 (ValleyRat) and additional malicious plugins through weaponized attachments and embedded links. Lures impersonate official communications, including tax audit notices, tax software installers, and cloud e-invoice downloads....

Researchers identified a new malware-as-a-service (MaaS) posing as a legitimate remote monitoring and management (RMM) tool called TrustConnect. Its so-called business website—likely auto-generated—actually serves as the login portal for the malware platform....

VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731) details active exploitation of a pre-authentication RCE flaw in BeyondTrust Remote Support software that enables attackers to execute OS-level commands and fully compromise affected systems....

Divide and Conquer: How the New Keenadu Backdoor Exposed Links Between Major Android Botnets outlines the discovery of Keenadu, a firmware-level Android backdoor embedded during the build process via a malicious library linked to libandroid_runtime.so....

Two critical zero-day vulnerabilities, CVE-2026-1281 and CVE-2026-1340, are impacting Ivanti Endpoint Manager Mobile (EPMM). They are actively exploited in the wild, targeting enterprise mobile fleets and corporate networks. The flaws allow unauthenticated remote code execution on affected servers....

A large-scale spam campaign abused Atlassian Cloud’s trusted domain to distribute multilingual phishing emails targeting government and corporate entities....

During analysis of compromised Dell RecoverPoint for Virtual Machines systems, Identified BRICKSTORM binaries later replaced by GRIMBOLT in September 2025. GRIMBOLT is a C# foothold backdoor built with Native AOT compilation and packed using UPX....

SyncFuture Espionage Targeted Campaign (Blackmoon Malware) is a highly targeted cyber-espionage operation affecting users and organizations in India, leveraging phishing emails that impersonate the Indian Income Tax Department to initiate a multi-stage infection chain....

Identifies when a legitimate Windows system executable normally found in the system directory is launched from an unusual or unexpected location....

A malicious campaign is distributing proxyware disguised as a legitimate Notepad++ or cracked software installer through deceptive download sites and ads. In this proxyjacking attack, the malware secretly installs proxyware on victims’ systems to hijack their network bandwidth for profit....

Osiris ransomware is a modern, enterprise-focused threat that conducts targeted intrusions involving deep network compromise, data exfiltration, and double-extortion tactics before encrypting victim systems....

The Chrome extension “Chrome MCP Server - AI Browser Control” operates as a browser-based Remote Access Trojan (RAT). It is disguised as an AI automation tool and falsely claims that all processing is 100% local. Once enabled, it connects via WebSocket to a live C2 server....

The report highlights a rise in model extraction (“distillation”) attacks aimed at stealing proprietary AI logic, alongside the growing integration of generative AI into real-world threat operations....

XWorm v7 RAT is a modular, malware-as-a-service Remote Access Trojan active since 2022, widely adopted by cybercriminals for its ease of deployment and extensive post-compromise capabilities....