Threat Research

XWorm v7 RAT is a modular, malware-as-a-service Remote Access Trojan active since 2022, widely adopted by cybercriminals for its ease of deployment and extensive post-compromise capabilities....

GuLoader (also known as CloudEye) is a highly obfuscated malware family first identified in December 2019. It primarily functions as a downloader for Remote Access Trojans (RATs) and information stealers. Threat actors often host its payloads on legitimate platforms like Google Drive and OneDrive to evade detection....

XWorm is a multi-functional Remote Access Trojan (RAT) first identified in 2022 and still actively distributed, including via Telegram marketplaces. Once installed, it grants attackers full remote control over compromised Windows systems. This campaign uses phishing emails with social engineering tactics to trick recipients into opening a malicious attachment....

A Peek Into Muddled Libra’s Operational Playbook examines a September 2025 intrusion in which the cybercrime group Muddled Libra (aka Scattered Spider/UNC3944) deployed a rogue VM after compromising a VMware vSphere environment....

North Korean threat actors continue to refine their tactics to target cryptocurrency and DeFi organizations. A recent investigation examined an intrusion against a FinTech entity in this sector. The activity was attributed to UNC1069, a financially motivated threat actor active since at least 2018....

Stan Ghouls (also known as Bloody Wolf) is a cybercriminal group active since at least 2023, conducting highly targeted campaigns primarily against manufacturing, finance, and IT organizations across Russia and Central Asia....

Knife Cutting the Edge details DKnife, a China-nexus, Linux-based adversary-in-the-middle (AitM) gateway framework active since at least 2019 that compromises routers and edge devices to inspect and manipulate network traffic and deliver malware....

The Threat Analysis reports examine emerging threats and offer practical guidance for mitigating them. In this report, Security Services analyzes a fake installer attack recently observed multiple times. The investigation uncovered findings not previously documented and revealed new threat intelligence....

The Shadow Campaigns reveal a highly sophisticated, state-aligned cyberespionage group tracked as TGR-STA-1030, assessed to operate out of Asia and responsible for extensive compromises of government and critical infrastructure organizations worldwide....

Labz identified Marco Stealer in June 2025 as an information stealer targeting browser data, crypto wallets, and sensitive local and cloud files. It profiles infected systems by collecting hardware IDs, OS versions, IP addresses, and geolocation details. The malware uses named pipes to coordinate communication between its internal components....

APT28, a Russian state-sponsored threat group also known as Fancy Bear or UAC-0001, is conducting a sophisticated espionage campaign against European military and government entities. The operation primarily targets maritime and transportation organizations in Poland, Slovenia, Turkey, Greece, the UAE, and Ukraine....

Rublevka Team is a large-scale, affiliate-driven crypto-theft operation active since 2023 that has generated over $10 million by luring victims with fake promotions or airdrops and tricking them into signing wallet-draining transactions....

The Notepad++ supply chain attack exploited a compromised update infrastructure to deliver malicious updates through multiple, constantly rotating execution chains, C2 servers, and payloads....

ClickFix-based campaigns have employed a rotating set of commands for clipboard-injected content. In late December 2025, the KongTuke campaign incorporated DNS TXT records within its ClickFix text. These campaigns regularly shift between ClickFix techniques, including the finger protocol and mshta....

ShadowHS is a stealth-focused, fileless Linux intrusion framework derived from the original hackshell utility and designed for long-term, interactive operator control. It executes entirely in memory using a highly obfuscated loader, leaving no disk artifacts while prioritizing host fingerprinting, defensive evasion, and operator safety before enabling higher-risk actions....