Threat Research

A sophisticated phishing campaign targeting Indian entities has been attributed to the Chinese Silver Fox APT. The attackers used highly convincing Income Tax–themed lures to deliver malware through a complex kill chain involving DLL hijacking and the modular Valley RAT, enabling long-term persistence....

UAC-0184, also known as Hive0156, is a Russia-aligned threat actor that conducts cyber operations against Ukraine using commercially available malware and lure documents. The group primarily targets Ukrainian military personnel by distributing weaponized LNK files or PowerShell scripts that result in Remcos malware infections....

Over 90 days of honeypot monitoring, industrial routers emerged as the most targeted OT assets, accounting for 67% of attacks, mainly through SSH/Telnet brute force and HTTP-based exploitation....

Identifies the execution of curl.exe using the file:// protocol to access and read local files....

Researchers identified multiple attack campaigns abusing a GeoServer remote code execution flaw (CVE-2024-36401). The attackers indiscriminately scan the internet for exposed and vulnerable GeoServer instances. After gaining access, they install XMRig-based cryptocurrency miners on compromised servers....

The Evasive Panda APT group conducted highly targeted campaigns between November 2022 and November 2024, abusing poisoned DNS responses to deliver its MgBot malware. The attackers leveraged adversary-in-the-middle (AitM) techniques to fetch encrypted malware components from attacker-controlled servers based on victim-specific DNS requests....

Matanbuchus is a C++-based malicious downloader offered as Malware-as-a-Service since 2020. It has evolved through multiple development stages, with version 3.0 observed in the wild in July 2025. The malware allows attackers to deploy additional payloads and execute hands-on keyboard activity via shell commands....

A recent phishing campaign targeting Indian businesses leverages Income Tax Return (ITR)–related themes to appear legitimate and trustworthy. Attackers impersonate the Indian Income Tax Department (ITD) by sending fake “Tax Compliance Review Notice” emails, exploiting public concern around refund timelines....

Multiple threat groups are deploying a variety of malware to compromise hosts and networks, with CastleRAT emerging as one of the latest payloads observed this year. First identified around March 2025, CastleRAT is a Remote Access Trojan available in two primary variants: a Python-based version and a compiled C version....

North Korean state-sponsored threat actors, including Lazarus and Kimsuky, continue to operate at a global scale, conducting espionage, financial crime, and access-driven attacks. While their malware, lures, and objectives evolve, these groups consistently reuse infrastructure such as IP addresses, certificates, open directories, and shared tooling....

Our labs are tracking a sophisticated commodity loader used by multiple advanced threat actors. The campaign shows strong regional and sector focus, targeting Manufacturing and Government entities. Affected regions include Italy, Finland, and Saudi Arabia. Attackers use multiple infection vectors, such as weaponized Office files, malicious SVGs, and ZIPs with LNK shortcuts....

Operation highlights how the Chinese-linked threat actor Ink Dragon is expanding and refining its cyber-espionage campaigns. The group has shifted increased attention toward European government targets while maintaining activity in Southeast Asia and South America....

Identifies cases where the ArcGIS Server process (ArcSOC.exe), responsible for hosting REST services, creates files with suspicious types that may indicate executables, scripts, or other anomalous files....

A renewed RTO/e-Challan phishing wave is actively targeting Indian vehicle owners through SMS-based lures that link to fake, browser-based portals mimicking official government services....

Amadey is a malware loader active since 2018, commonly used to deploy second-stage payloads and infostealers. Historically, it has distributed payloads via GitHub repositories. Recent activity reveals a new campaign abusing a compromised, self-hosted GitLab instance to deliver the StealC infostealer....