Threat Research

Boggy Serpens (also known as MuddyWater), an Iranian state-linked threat group associated with MOIS, continues to conduct cyberespionage campaigns targeting diplomatic entities and critical infrastructure sectors such as energy, maritime, and finance....

Since late December 2025, the team has handled multiple incidents involving voice-based phishing (vishing) leading to data theft and extortion. These attacks have targeted organizations across Financial Services, Manufacturing, Professional & Legal Services, and Wholesale & Retail sectors....

Pakistan-linked threat actor APT36 (Transparent Tribe) has shifted to an AI-assisted malware development model known as “vibeware,” generating large volumes of disposable implants using niche programming languages such as Nim, Zig, and Crystal to evade traditional detection....

In March 2026, the team identified activity by a China-nexus threat actor targeting countries in the Persian Gulf region. The campaign used a multi-stage attack chain to deploy a PlugX backdoor variant on compromised systems. Both the shellcode and PlugX backdoor employed obfuscation techniques to hinder reverse engineering....

In today’s evolving cybercrime landscape, attackers seek the “perfect” malware—lightweight, modular, and highly stealthy. Underground markets quickly adopt tools that offer strong capabilities while maintaining low detection rates. XWorm has become a leading example of this trend....

A state-sponsored threat cluster tracked as CL-STA-1087, suspected to be linked to China, has conducted a long-term cyber espionage campaign targeting military organizations in Southeast Asia since at least 2020. The attackers focused on collecting sensitive intelligence related to military capabilities, organizational structures, and cooperation with Western armed forces....

A recent campaign involving Remcos RAT demonstrates the shift toward fileless malware techniques, using phishing emails with procurement-themed lures to initiate infection. The attack chain delivers a JavaScript downloader that retrieves an AES-obfuscated PowerShell payload, which then loads a .NET injector to perform process hollowing on a legitimate Windows process....

On 28 February 2026, the US and Israel launched strikes inside Iran in a campaign named Operation Epic Fury, targeting missiles, air defenses, military infrastructure, and leadership assets. Iran retaliated with missile and drone attacks against US embassies and military bases across the region....

Threat actors distributed fake OpenClaw installers through malicious GitHub repositories to infect users with information stealers and the GhostSocks proxy malware. The campaign used a custom Stealth Packer to evade detection and targeted users searching for OpenClaw installers on Windows and macOS....

Security researchers uncovered ongoing attacks linked to the KongTuke threat group using compromised WordPress sites and fake CAPTCHA lures to spread the Python-based modeloRAT. Attackers inject malicious JavaScript that prompts users to run a PowerShell command, triggering a multistage infection process....

Cybercriminals are exploiting the heightened political tensions in the Middle East to launch opportunistic cyber campaigns using conflict-themed lures. Thousands of newly registered domains related to the conflict have been identified, many of which may be used for future malicious activity such as phishing, scams, and malware distribution....

Between 2024 and March 2026, the geopolitical landscape around Iran has shifted dramatically. What was once a tense but predictable standoff has escalated into a major regional crisis. In 2024, Iran began moving from proxy warfare toward direct military confrontation, marked by ballistic missile exchanges with Israel....

Since at least 2020, we have observed a cluster of activity targeting high-value organizations across South, Southeast, and East Asia. The attacks focus on critical sectors including aviation, energy, government, law enforcement, pharmaceutical, technology, and telecommunications. This ongoing and previously undocumented activity is being tracked as CL-UNK-1068....

The Coruna exploit kit is a sophisticated toolkit targeting Apple iPhones running iOS 13.0 through 17.2.1, containing five full exploit chains and 23 exploits, including zero-day exploits, that leverage advanced, non-public techniques to bypass iOS security protections....

Team has disclosed UAT-9244, assessed with high confidence as a China-nexus APT actor linked to Famous Sparrow. Since 2024, the group has targeted critical telecommunications infrastructure in South America. Its attacks impact Windows and Linux endpoints as well as network edge devices....