Threat Research

The team tracked a cargo theft threat actor’s post-compromise activity for over a month within a decoy environment run by Deception.pro. The attacker used multiple remote access tools to maintain persistence, including a previously unknown signing-as-a-service capability....

CrySome RAT represents a modular, userland-focused post-exploitation framework emphasizing persistence, evasion, and operator control(Keylogger, Credential harvesting, RDP, HVNC). While it does not exhibit kernel-level sophistication, its combination of defense evasion techniques and surveillance capabilities makes it effective against poorly monitored environments....

PureRAT is a sophisticated remote access trojan that uses a multi-stage, fileless infection chain initiated by a malicious LNK file and PowerShell commands. It employs steganography to hide payloads within PNG images, along with techniques like UAC bypass, process hollowing, and anti-VM checks to evade detection....

IoT devices are increasingly targeted for large-scale attacks due to widespread use, poor patching, and weak security. Threat actors exploit known vulnerabilities to gain access and deploy persistent malware. These infections can spread across devices and enable DDoS attacks. A recent campaign abused CVE-2024-3721 in TBK DVR devices to deliver the Nexcorium Mirai variant....

We detected active automated scans attempting to exploit CVE-2023-33538 in end-of-life TP-Link routers (TL-WR940N, TL-WR740N, TL-WR841N variants). The payloads involved Mirai-like malware designed to download and execute on vulnerable devices. This activity followed CISA adding the CVE to its Known Exploited Vulnerabilities catalog in June 2025....

BlobPhish is an advanced credential-phishing campaign active since 2024 that generates phishing pages directly within the victim’s browser using in-memory blob objects, bypassing traditional network and file-based detection....

Threat actors are abusing AI workflow automation platforms like n8n to conduct sophisticated phishing campaigns by sending automated emails that deliver malware and fingerprint victim devices. By leveraging trusted services and integrations with tools like Slack, Gmail, and AI models, attackers can bypass traditional security controls and scale their operations....

Users searching for “TestDisk” are redirected via SEO poisoning to a malicious site (testdisk[.]dev). The site uses JavaScript to generate one-time URLs that deliver a fake “PhotoRec” installer. Victims download a ZIP and run testdisk-7.3.exe, which is actually a renamed Microsoft Setup binary....

JanelaRAT is a malware family named after the Portuguese word “janela,” meaning “window.” It targets financial and cryptocurrency data from selected banks and institutions in Latin America. The malware is a modified version of BX RAT and has been active since June 2023....

The supply chain compromise involving LiteLLM demonstrates how attackers, potentially leveraging social engineering tactics, injected malicious code that enabled unauthorized data access and potential command execution. It highlights how downstream users, including organizations like Mercor, were impacted due to implicit trust in the compromised dependency....

A targeted social engineering campaign tracked as REF6598 abuses the Obsidian note-taking app to gain initial access, targeting individuals in the financial and cryptocurrency sectors via LinkedIn and Telegram. Victims are tricked into opening a shared vault with malicious plugins that silently execute code, leading to a multi-stage, fileless attack chain....

A threat campaign has published over 200 malicious packages to NPM, using names like “huggingface-cli,” “webflow,” and “codeium.” These packages pose as a new AI coding agent called “Stardrop,” which gives the campaign its name. Detection began on April 9, with an average of 40+ new packages appearing daily....

This malware campaign attackers distribute an infostealer by impersonating a legitimate OpenClaw AI tool. It leverages a ClickFix social engineering technique, tricking users into manually executing malicious commands, thereby bypassing browser security protections....

A watering hole attack compromised the official CPUID website, replacing legitimate download links for popular tools like CPU-Z and HWMonitor with malicious versions....

The Graphalgo campaign has resurfaced with more sophisticated tactics, using fake companies and GitHub organizations to create legitimacy for fraudulent job offers targeting developers. Victims are lured through coding tasks that include malicious dependencies from platforms like npm or PyPI, which execute during setup to deliver a remote access trojan (RAT)....