Threat Research

In February 2025, TA406 launched phishing campaigns against Ukrainian government entities, delivering both credential-harvesting tools and malware. Likely aimed at gathering intelligence related to the ongoing Russian invasion, TA406 is a DPRK state-sponsored threat group, also known as Opal Sleet or Konni....

Earth Ammit, a threat actor linked to Chinese-speaking APT groups, conducted two coordinated cyberespionage campaigns—VENOM and TIDRONE—between 2023 and 2024, targeting organizations in Taiwan and South Korea....

A threat actor has been using phishing emails with malicious HTML attachments to distribute Horabot malware, primarily targeting Spanish-speaking users. The campaign impersonates invoices to steal email credentials and spread banking trojans across Latin America. Horabot uses Outlook COM automation to send phishing emails from compromised inboxes, aiding lateral movement....

On April 24, 2025, SAP disclosed CVE-2025-31324, a critical vulnerability (CVSS 10.0) in SAP NetWeaver’s Visual Composer Framework (version 7.50). This flaw allows unauthenticated attackers to upload arbitrary files via the /developmentserver/metadatauploader endpoint, potentially leading to remote code execution and full system compromise....

The DragonForce ransomware group has shifted its focus from politically motivated attacks to high-profile financial extortion campaigns, recently targeting UK retailers like Harrods, Marks and Spencer, and the Co-Op, causing significant disruptions to critical operations like payment systems and inventory management....

The IR team recently identified a new email campaign distributing a Remote Access Trojan (RAT) targeting organizations in Spain, Italy, and Portugal. The attackers use the serviciodecorreo email service, which is authorized for multiple domains and passes SPF checks....

A suspected Iranian cyber espionage operation was discovered impersonating a German modeling agency. The attackers created a fake website that replicated the real agency’s branding and used obfuscated JavaScript to secretly collect visitor data such as IP addresses, browser fingerprints, and screen resolutions....

The Agenda ransomware group, also known as Qilin, has continued to evolve since its emergence in 2022, shifting its ransomware development from Go to Rust and incorporating advanced evasion, propagation, and remote execution capabilities. In a recent campaign, the group deployed SmokeLoader alongside a newly discovered....

We have analyzed multiple recent incidents where threat actors exploited Microsoft Teams to target victims. Posing as the organization’s Help Desk, the attackers initiate contact via Teams messages. They then attempt to persuade users to execute a Trojanized version of the GlobalProtect installer....

Our team has observed a surge in large-scale phishing campaigns written in Japanese, primarily targeting organizations in Japan using a phishing kit known as CoGUI. These campaigns often impersonate well-known consumer and payment brands like Amazon, PayPay, and Rakuten. CoGUI is a stealthy phishing framework designed to evade detection, with Japan being its main focus....

A newly uncovered targeted campaign has revealed the resurgence of the Lampion malware, focusing on Portuguese organizations in the government, finance, and transportation sectors. Active since 2019, Lampion now incorporates ClickFix lures—a social engineering tactic that tricks users into executing malicious commands disguised as system fixes....

Outlaw, also known as "Dota," is a Perl-based crypto-mining botnet targeting Linux systems by exploiting weak or default SSH credentials. While previously observed in honeypots, a recent real-world incident in Brazil highlights its continued effectiveness....

SideWinder APT, active since at least 2012 and likely based in India, targets government, military, and financial institutions in South Asia and the Middle East. The group leverages spear-phishing, social engineering, and zero-day exploits for network infiltration. It uses custom malware and backdoors to maintain persistence and exfiltrate sensitive data....

A new loader has been identified leveraging the Pascal scripting engine in Inno Setup. It is used to distribute infostealers such as LummaC2, DeerStealer, Rhadamanthys, and StealC. Typically spread via fake application websites, the loader features anti-VM capabilities, XOR-based string encryption, and retrieves payloads from TinyURL using an authentication token....

Hannibal Stealer is a newly rebranded and sophisticated malware that has gained traction in the cybercriminal ecosystem. Evolved from earlier variants like Sharp and TX Stealer, it targets web browsers, crypto wallets, and messaging apps, while evading modern security defenses....