Threat Research

FortiBleed refers to the exposure and abuse of leaked credentials associated with approximately 74,000 internet-facing Fortinet devices, including FortiGate firewalls and SSL VPN gateways....

Threat actors are leveraging AI-generated deepfake audio videos hosted on legitimate SaaS and content delivery platforms to conduct phishing campaigns targeting social media users....

Analysis of the Mastra npm supply chain compromise revealed that attackers abused a trusted package ecosystem by introducing a malicious postinstall payload through a typosquatted dependency named easy-day-js....

Researchers analyzed the robust EDR-killing toolset of the prominent ransomware gang Gentlemen. Since early 2026, the group has become one of the most active threats in the ecosystem. They stand out by maintaining sophisticated tools designed to disrupt security software. Unlike peers, Gentlemen targets Southeast Asia, South America, and Western Europe over the US....

In March 2026, ThreatLabz detected multiple malicious typosquatting domains built using AI website generators. Cybercriminals are using these tools to rapidly scale convincing lures, ranging from simple credential harvesting to ClickFix campaigns delivering Remote Access Trojans (RATs)....

Researchers identified a cryptocurrency clipper malware that spreads through malicious .LNK shortcut files and propagates like a worm via removable drives. It launches a bundled Tor client and communicates with hidden .onion C2 servers through a local SOCKS5 proxy (localhost:9050) to evade detection....

A malicious PyPI package masquerading as an AI assistant, myra-ai-assistant, was found to contain TITAN, a Python-based infostealer that uses OCR-driven screen monitoring to capture sensitive information such as login pages, emails, IDE sessions, and financial transactions....

ErrTraffic is a Malware-as-a-Service (MaaS) framework used to distribute malware through ClickFix social engineering lures embedded in compromised WordPress websites. The framework incorporates a Traffic Distribution System (TDS) and uses EtherHiding to conceal its command-and-control infrastructure within the blockchain....

Researchers found two new Windows variants of the SprySOCKS backdoor, previously known only on Linux. Linked to the Chinese group FishMonger (I-SOON), it active targeted government entities between 2023 and 2024. Telemetry confirmed victims across Honduras, Taiwan, Thailand, and Pakistan....

Researchers discovered dozens of malicious wallpapers on Steam Workshop that abused Wallpaper Engine's Application Wallpaper feature to execute malware on users' PCs. The campaign distributed threats such as DarkKomet backdoors, Lumma and Vidar infostealers, crypto miners, and other credential-stealing malware....

A PRC-nexus threat actor, UNC6508, targeted North American academic, medical, and military research institutions. The sophisticated campaign remained entirely undetected within target networks for over a year. Attackers initially breached networks by compromising externally facing web applications....

OceanLotus (APT32) has shifted its focus from broader regional operations to a more targeted government within Vietnam. Between 2024 and 2026, the group used its SPECTRALVIPER backdoor in a supply-chain attack targeting stock investors and a long-term intrusion against a Vietnamese infrastructure and transport company....

A threat actor is leveraging AI brand impersonation by registering lookalike .ru domains that mimic DeepSeek, MiniMax, and ChatGPT, complete with cloned branding, AI chat interfaces, and the DeepSeek whale mascot to target Russian-speaking users....

ShinyHunters exploited the critical zero-day vulnerability CVE-2026-35273 in Oracle PeopleSoft's Environment Management component to compromise organizations, with a strong focus on the higher education sector....

Since November 2025, the Shai-Hulud V2 campaign has evolved significantly beyond typical software supply chain attacks. Over the last six months, the threat expanded from npm into PyPI and shifted focus from compromised maintainers to CI/CD abuse. The attackers undermined trust in SLSA provenance and OIDC-based publishing workflows without breaking cryptographic guarantees....