Threat Research

APT24, a PRC-nexus linked threat actor, has been running a long-term cyber-espionage campaign that spans three years and leverages BADAUDIO, a highly obfuscated first-stage downloader used to establish persistent access in victim networks....

Researchers are examining an ongoing, multi-stage malware campaign targeting WhatsApp users in Brazil. First detected on September 24, 2025, the operation—identified as STAC3150—uses archive attachments that contain a downloader script responsible for fetching several second-stage components....

Detects changes to NTFS symbolic link settings via fsutil, which may allow remote-to-local or remote-to-remote symlinks that could be abused in attacks....

After an initial drop in activity following the doxxing of its alleged members, Lumma Stealer has recently surged in activity. Researchers observed new adaptive browser-fingerprinting tactics, where the malware uses JavaScript-based data collection and stealthy HTTP communication to gather detailed system, network, hardware, and browser information....

FIN7 has been active since at least 2013, previously targeting sectors such as retail, hospitality, and financial services. The group shifted its monetization strategy from POS malware to big-game-hunting ransomware over time. Although widely analyzed, the malware’s code has changed very little since its early versions....

A highly automated, multi-stage phishing kit has been uncovered impersonating the major Italian IT provider Aruba S.p.A., a company central to Italy’s digital infrastructure. The kit uses CAPTCHA filtering, data pre-filling, and Telegram-based exfiltration to steal credentials and payment information efficiently and stealthily....

UNC1549 often gained initial access by blending targeted social engineering with the use of compromised third-party accounts. Using credentials stolen from vendors or partners, the group took advantage of legitimate trust relationships to enter victim environments....

The Lynx ransomware intrusion began with an RDP login using stolen credentials, quickly followed by lateral movement to a domain controller using a compromised admin account. The attacker created multiple impersonation-style privileged accounts, mapped virtualization systems and file shares, and gathered sensitive data before exfiltrating it via temp.sh....

RoningLoader is a new, advanced loader used in a recent DragonBreath (APT-Q-27) campaign that distributes a modified gh0st RAT through trojanized NSIS installers posing as legitimate apps like Chrome and Microsoft Teams....

We uncovered two linked 2025 malware campaigns that used large-scale brand impersonation to deliver Gh0st RAT variants to Chinese-speaking users. Across these operations, attackers evolved from simple droppers to multi-stage chains abusing legitimate signed software to evade defenses....

Rhadamanthys malware has evolved considerably, showcasing continuous advancements in cybercriminal tactics. Initially discovered in 2022, it began as a sophisticated information stealer targeting credentials, financial data, and system details....

In August 2025, Kraken— a Russian-speaking ransomware group that emerged from the former HelloKitty cartel— conducted big-game hunting and double-extortion attacks. Cisco Talos observed the group exploiting SMB vulnerabilities for initial access, then using Cloudflared for persistence and SSHFS for pre-encryption data exfiltration....

The Agenda ransomware group (Qilin) has been observed deploying Linux-based binaries on Windows hosts using legitimate remote management and file transfer tools. This cross-platform technique evades traditional Windows-focused detections, including many EDR solutions....

APT37, a North Korea–linked threat group, conducted a social engineering campaign masquerading as an academic forum invitation from a South Korean national security think tank. The lure referenced a real event titled “Trump 2.0 Era: Prospects and South Korea’s Response” to gain credibility....

A GLS-themed ClickFix social-engineering campaign in Italy delivered the Remcos RAT by tricking users into manually running malicious commands. ClickFix campaigns have risen over the past year because manual execution helps attackers evade AV, sandbox, and EDR detection....