Threat Research

A threat campaign has published over 200 malicious packages to NPM, using names like “huggingface-cli,” “webflow,” and “codeium.” These packages pose as a new AI coding agent called “Stardrop,” which gives the campaign its name. Detection began on April 9, with an average of 40+ new packages appearing daily....

This malware campaign attackers distribute an infostealer by impersonating a legitimate OpenClaw AI tool. It leverages a ClickFix social engineering technique, tricking users into manually executing malicious commands, thereby bypassing browser security protections....

A watering hole attack compromised the official CPUID website, replacing legitimate download links for popular tools like CPU-Z and HWMonitor with malicious versions....

The Graphalgo campaign has resurfaced with more sophisticated tactics, using fake companies and GitHub organizations to create legitimacy for fraudulent job offers targeting developers. Victims are lured through coding tasks that include malicious dependencies from platforms like npm or PyPI, which execute during setup to deliver a remote access trojan (RAT)....

Detects the Windows execution chain and process tree tied to the Axios NPM supply chain attack. On March 30, 2026, malicious versions (1.14.1 and 0.30.4) were published to npm. These versions injected a dependency (plain-crypto-js@4.2.1) that ran a postinstall RAT dropper....

A malware campaign used a fake Adobe Acrobat Reader download to trick users into installing the legitimate ScreenConnect remote access tool for malicious purposes. The attack chain relies on heavy obfuscation and fileless techniques, including VBScript loaders, .NET reflection, and in-memory execution, to evade detection....

BlankGrabber is a Python-based information stealer designed to extract sensitive data such as browser credentials, session tokens, and system details. Discovered in 2023 by security researchers, it is known for its modular design and fast evolution to evade detection. The malware is commonly spread through social engineering and phishing campaigns....

Active phishing kit impersonates a national postal service e-commerce platform, mimicking four storefronts (unifone, masterfone, newphone, dogabilisim). We call this kit “Montana Empire,” based on a phrase found in its admin panel....

A threat cluster tracked as UAT-10362 APT is conducting spear-phishing campaigns targeting Taiwanese NGOs and academic institutions, delivering a newly identified malware family called LucidRook. The malware uses a DLL-based stager embedding Lua and Rust components to execute staged payloads, with region-specific checks to target Traditional Chinese environments....

SURXRAT abuses Android accessibility services to perform malicious actions such as keylogging, screen capture, and OTP interception. By using legitimate cloud services, the malware blends in with normal traffic, making detection more difficult. SURXRAT can remotely execute commands, exfiltrate sensitive data, and maintain persistent access to infected devices....

Masjesu is a commercially operated IoT botnet active since 2023, offering DDoS-for-hire services through Telegram. It targets a wide range of routers and embedded devices across multiple architectures, using vulnerability exploitation and scanning for propagation....

Iran-linked advanced persistent threat (APT) actors are exploiting internet-facing operational technology (OT) devices, including Rockwell/Allen-Bradley PLCs. Their actions have disrupted PLC operations across multiple U.S. critical infrastructure sectors. Attacks involve tampering with project files and altering data on HMI and SCADA systems....

A newly identified malware called CrystalX is being distributed as malware-as-a-service (MaaS) through private Telegram channels, offering multiple subscription tiers to cybercriminals....

Researchers uncovered an Android rootkit campaign called Operation Novoice targeting older vulnerabilities (2016–2021). Devices with security patches from May 2021 onward are protected from known exploits. However, even patched devices may have been exposed to unknown payloads via malicious apps. These apps, disguised as tools or games on Google Play, appeared normal to users....

Endpoint Detection and Response (EDR) tools are more advanced than traditional antivirus and are widely used today. Attackers deploy EDR killers to bypass or disable these defenses, limiting visibility into system activity. As detection improves, attackers increasingly target security layers early in the attack lifecycle....