Threat Research

A compromised site and a lookalike domain worked together to deliver a double-extension RAR file masquerading as a PDF. The payload abused MSC EvilTwin (CVE-2025-26633) to inject code into mmc.exe and trigger hidden PowerShell stages via TaskPad commands. Layered obfuscation, a breached website, and password-protected archives reduced user visibility....

The StopRansomware: Akira Ransomware advisory warns of Akira’s expanding operations, including new activity as of Nov. 13, 2025, targeting Windows, Linux, and virtualization platforms....

Detects the use of the Grixba reconnaissance tool through characteristic command-line patterns. Grixba, employed by the Play ransomware group, supports pre-attack operations such as network scanning, data collection, and clearing of event logs....

In August 2025, researchers discovered a proof-of-concept ransomware named PromptLock, created as part of an academic study on orchestrating ransomware-style attacks with large language models (LLMs)....

At the end of October, during a global AWS connectivity disruption, Labs detected malware known as “ShadowV2” exploiting IoT vulnerabilities to spread. The incidents impacted multiple countries and affected seven different industries. To date, the malware has only been observed operating during the major AWS outage window....

As Black Friday approaches, threat actors are ramping up phishing campaigns that abuse newly registered domains crafted to mimic legitimate shopping sites. These scams often link victims to fraudulent luxury-goods stores designed to steal payment information....

The team investigated a renewed npm-focused compromise known as Shai-Hulud 2.0, first revealed in early November 2025. This campaign is far larger than before, impacting tens of thousands of GitHub repositories, including over 25,000 malicious repos tied to roughly 350 unique users....

RelayNFC is a newly identified and increasingly sophisticated Android malware targeting users in Brazil through phishing campaigns. Designed specifically for NFC relay attacks, it captures victims’ contactless payment card data and relays it in real time to attacker-controlled servers, enabling fraudulent transactions as if the physical card were present....

In August 2025, an intrusion targeting an Asian subsidiary of a major European manufacturer was investigated and assessed as likely carried out by the North Korea–linked group UNC2970, aligning with Operation DreamJob. The attack began with a targeted WhatsApp message to a project engineer and used variants of the BURNBOOK loader and MISTPEN backdoor....

We uncovered multiple malicious files during an investigation into the ShinySp1d3r ransomware, linked to the ShinyHunters group. The ransomware name appears as “ShinySp1d3r” or “Sh1nySp1d3r,” and we track the group as Bling Libra. Several samples contain an embedded URL, likely a placeholder for a future Tor-based leak site....

Since early 2025, China’s presence in the Indo-Pacific has become increasingly assertive. Activities have ranged from heightened maritime tensions to acting as a peacebroker for Myanmar’s junta. More recently, espionage efforts have targeted joint Philippine naval exercises with the US, Australia, Canada, and New Zealand....

PlushDaemon is a China-aligned espionage group active since at least 2018, targeting entities in China, Taiwan, Hong Kong, Cambodia, South Korea, the United States, and New Zealand....

APT24, a PRC-nexus linked threat actor, has been running a long-term cyber-espionage campaign that spans three years and leverages BADAUDIO, a highly obfuscated first-stage downloader used to establish persistent access in victim networks....

Researchers are examining an ongoing, multi-stage malware campaign targeting WhatsApp users in Brazil. First detected on September 24, 2025, the operation—identified as STAC3150—uses archive attachments that contain a downloader script responsible for fetching several second-stage components....

Detects changes to NTFS symbolic link settings via fsutil, which may allow remote-to-local or remote-to-remote symlinks that could be abused in attacks....