Threat Research

UAT-8099 is an active threat actor targeting vulnerable Internet Information Services (IIS) servers across Asia, with a strong focus on Thailand and Vietnam from late 2025 to early 2026. The campaign shows significant overlap with the WEBJACK operation, sharing malware hashes, C2 infrastructure, and victimology....

TA584 stands out in the cybercrime landscape, highlighting the limits of static detection against rapidly evolving threat actors. It operates as a major initial access broker, targeting organizations worldwide. In the second half of 2025, the group significantly modified its attack chains....

Labs identified a web shell dubbed “EncystPHP” with advanced capabilities such as remote command execution, persistence, and web shell deployment. The attacks began in early December last year and spread through exploitation of the FreePBX vulnerability CVE-2025-64328. The activity is linked to the hacker group INJ3CTOR3, first observed in 2020 targeting CVE-2019-19006....

Multiple threat actors, including Russia- and China-linked state-sponsored groups as well as financially motivated attackers, are actively exploiting the critical CVE-2025-8088 flaw in WinRAR. The vulnerability, patched in July 2025, allows path traversal to drop malicious files into the Windows Startup folder, enabling persistence and payload delivery....

We uncovered an attack chain that uses SEO poisoning to lure users searching for legitimate software. Threat actors abuse GitHub by hosting malicious ZIP files in fake repositories. These archives impersonate real applications and include a harmful batch (.bat) file....

PeckBirdy is a JavaScript-based command-and-control framework used by China-aligned APT actors since 2023. It is designed for cross-environment execution, enabling flexible and scalable deployment. Two modular backdoors, HOLODONUT and MKDOOR, extend its capabilities beyond the core framework....

A software supply chain attack targeted users of EmEditor by distributing a compromised installer that delivered multistage information-stealing malware. The malicious installer enabled credential theft, data exfiltration, and lateral movement, while delaying execution of malicious behavior to evade early detection....

Between February and September 2025, multiple credential-harvesting campaigns were attributed to BlueDelta, a Russian state-sponsored threat group linked to the GRU. These operations expand on BlueDelta’s ongoing credential-theft activity previously documented in Insikt Group’s December 2025 report. During 2025, BlueDelta targeted a limited but distinct set of victims....

A short-lived infostealer campaign active in mid-January 2026 targeted users through spoofed software installers packaged in consistently structured ZIP archives. The operation is identifiable by a unique behavioral hash and abuses a trusted executable to sideload a malicious payload, ultimately executing secondary-stage infostealers....

VoidLink is a sophisticated malware framework composed of custom loaders, implants, rootkits, and modular plugins that enable persistent access to Linux systems. It is built to function reliably in cloud and containerized environments, with a strong focus on long-term operations....

Labs have uncovered a multi-stage malware campaign mainly targeting users in Russia. The attack starts with social engineering via business-themed documents that appear routine and harmless. These files distract victims with fake tasks or status messages while malicious processes run in the background....

DeadLock is a low-profile ransomware discovered in July 2025 that stands out for operating without known affiliates or a data leak site. Despite limited victim visibility, the group employs an unusual technique by abusing Polygon smart contracts to rotate or distribute proxy server addresses, enabling stealthy and decentralized infrastructure management....

Evelyn Stealer is a multistage information-stealing campaign that abuses the Visual Studio Code extension ecosystem to compromise software developers....

We identified phishing emails impersonating financial institutions, framed as alerts about expired W-8BEN tax forms. The attackers rapidly rotate domains to evade detection. Phishing pages use cloaking techniques and remain active only briefly....

UAT-8837 is a China-nexus threat actor assessed with medium confidence to specialize in gaining initial access to high-value organizations, with a clear focus on critical infrastructure targets in North America since at least 2025....