Threat Research

Multiple threat groups are deploying a variety of malware to compromise hosts and networks, with CastleRAT emerging as one of the latest payloads observed this year. First identified around March 2025, CastleRAT is a Remote Access Trojan available in two primary variants: a Python-based version and a compiled C version....

North Korean state-sponsored threat actors, including Lazarus and Kimsuky, continue to operate at a global scale, conducting espionage, financial crime, and access-driven attacks. While their malware, lures, and objectives evolve, these groups consistently reuse infrastructure such as IP addresses, certificates, open directories, and shared tooling....

Our labs are tracking a sophisticated commodity loader used by multiple advanced threat actors. The campaign shows strong regional and sector focus, targeting Manufacturing and Government entities. Affected regions include Italy, Finland, and Saudi Arabia. Attackers use multiple infection vectors, such as weaponized Office files, malicious SVGs, and ZIPs with LNK shortcuts....

Operation highlights how the Chinese-linked threat actor Ink Dragon is expanding and refining its cyber-espionage campaigns. The group has shifted increased attention toward European government targets while maintaining activity in Southeast Asia and South America....

Identifies cases where the ArcGIS Server process (ArcSOC.exe), responsible for hosting REST services, creates files with suspicious types that may indicate executables, scripts, or other anomalous files....

A renewed RTO/e-Challan phishing wave is actively targeting Indian vehicle owners through SMS-based lures that link to fake, browser-based portals mimicking official government services....

Amadey is a malware loader active since 2018, commonly used to deploy second-stage payloads and infostealers. Historically, it has distributed payloads via GitHub repositories. Recent activity reveals a new campaign abusing a compromised, self-hosted GitLab instance to deliver the StealC infostealer....

SantaStealer is a newly emerging malware-as-a-service infostealer promoted on Telegram and underground forums, with a planned release before the end of 2025. Recently rebranded from BluelineStealer, it is designed to steal credentials, documents, wallets, and application data while operating entirely in memory to evade detection....

Identifies script interpreters, command-line utilities, and other potentially suspicious child processes spawned by ArcSOC.exe. ArcSOC.exe is the process responsible for hosting ArcGIS Server REST services....

LongNosedGoblin is a newly identified China-aligned APT group focused on cyberespionage against governmental institutions in Southeast Asia and Japan. Active since at least September 2023, the group leverages Windows Group Policy to deploy malware and move laterally within compromised networks, while using cloud services like OneDrive and Google Drive for command-and-control....

This campaign has been active since at least September 2025 and leverages multiple web hosting platforms. Instead of harvesting usernames and passwords, the phishing pages employ an alternative approach. An embedded video guides victims to extract authentication tokens from their browser cookies and paste them into a pop-up form under the guise of verification....

BlindEagle launched a spear-phishing campaign targeting a Colombian government agency under the Ministry of Commerce, Industry and Tourism (MCIT), using emails sent from a compromised internal account to bypass security controls....

RansomHouse is a ransomware-as-a-service operation run by the group known as Jolly Scorpius. Recent malware samples show a major upgrade in the group’s encryption capabilities. This analysis examines the encryption changes and their implications for defenders. Jolly Scorpius employs a double extortion model, combining data theft with file encryption....

UAT-9686, a suspected Chinese-nexus APT actor, is actively targeting Cisco Secure Email Gateway (AsyncOS/ESA) and Cisco Secure Email and Web Manager (SMA). The group exploits non-standard appliance configurations to deploy a custom persistence tool called AquaShell, along with reverse tunneling and log-cleaning utilities to maintain stealthy, long-term access....

Detects instances where a web browser process opens an HTML file from a user’s Downloads folder. This behavior may be indicative of phishing activity, in which threat actors distribute HTML attachments to users. Opening such attachments can result in the execution of malicious scripts or the delivery of malware....