Threat Research

Our team uncovered a malicious website impersonating Disney+, used to deliver the Vidar infostealer malware. The site posed as an influencer collaboration portal, luring users into executing malware hosted on a WebDAV server....

A new Chaos ransomware group is carrying out double extortion attacks using spam, social engineering, and remote tools. Their ransomware is fast, stealthy, and hits both local and network systems. Though sharing a name with older variants, this group is likely unrelated and may include ex-BlackSuit (Royal) members....

In June 2025, two cyberattack campaigns—Operation GhostChat and Operation PhantomPrayers—targeted the Tibetan community, exploiting increased online activity surrounding the Dalai Lama's 90th birthday. Threat actors linked to a China-nexus APT group compromised a legitimate website to redirect users via malicious links....

After being taken down in May, Lumma Stealer quickly resurfaced. Between June and July, attacks surged again, now using stealthier delivery channels and evasion techniques. This malware can extract sensitive data like credentials and private files, and its availability as malware-as-a-service (MaaS) makes it accessible even to low-skilled attackers....

Interlock ransomware, active since late September 2024, targets businesses and infrastructure in North America and Europe with financially driven attacks. The FBI notes its use of encryptors for both Windows and Linux, often impacting virtual machines. Initial access methods include drive-by downloads from compromised sites and the ClickFix social engineering tactic....

CVE-2025-53770 and CVE-2025-53771 impact on-premise Microsoft SharePoint Servers, enabling malicious file uploads and cryptographic key theft. These evolved from earlier flaws (CVE-2025-49704/49706), where incomplete patches left systems vulnerable to unauthenticated RCE via deserialization and ViewState abuse....

Detects potential exploitation of CVE-2025-53770 by monitoring for indicators like suspicious command-line activity observed during post-exploitation stages. CVE-2025-53770 is a zero-day vulnerability in SharePoint that enables remote code execution....

Active exploitation of Microsoft SharePoint vulnerabilities CVE-2025-49704 and CVE-2025-49706 has been observed. These flaws allow unauthenticated attackers to bypass restrictions and, when chained, can lead to arbitrary command execution on affected SharePoint Server 2016 and 2019 systems....

In late June, a phishing campaign targeted Russian healthcare and IT organizations using compromised email accounts from legitimate sources. The attacks were attributed to the Rainbow Hyena cluster, which deployed a new custom-built backdoor named PhantomRemote....

In early February 2025, a phishing campaign targeting Ukrainian entities used invoice and billing-themed emails containing compressed archives with obfuscated JavaScript files. These files deployed PowerShell downloaders to install SmokeLoader, leveraging the Emmenthal loader....

Detects the execution of a renamed binary commonly used by attackers or malware, using the new Sysmon OriginalFileName data point for identification....

We recently investigated a cluster of VPSs used for Monero mining, linked to updated samples from past H2miner campaigns. H2miner, active since late 2019, is a crypto-mining botnet, while Lcryx (aka Lcrypt0rx) is a VBScript-based ransomware first seen in November 2024....

Between March and June 2025, multiple China-aligned threat actors intensified cyber espionage efforts against Taiwan’s semiconductor industry. Groups such as UNK_FistBump, UNK_DropPitch, and UNK_SparkyCarp launched phishing campaigns delivering tools like Cobalt Strike, the Voldemort backdoor, and AiTM phishing kits....

A new wave of SquidLoader malware is actively targeting financial institutions in Hong Kong. This advanced malware demonstrates strong evasion techniques, showing near-zero detection of VirusTotal during analysis. SquidLoader’s attack chain leads to the deployment of a Cobalt Strike Beacon, enabling remote access and control....

This report examines a recent ransomware attack by the BlackSuit group, a successor to the Royal ransomware family. Known for its hybrid tactics, BlackSuit combines data exfiltration with encryption, using advanced tools like PsExec, Cobalt Strike, RDP, and rclone to execute commands, move laterally, and extract data....