Threat Research

A software supply chain attack targeted users of EmEditor by distributing a compromised installer that delivered multistage information-stealing malware. The malicious installer enabled credential theft, data exfiltration, and lateral movement, while delaying execution of malicious behavior to evade early detection....

Between February and September 2025, multiple credential-harvesting campaigns were attributed to BlueDelta, a Russian state-sponsored threat group linked to the GRU. These operations expand on BlueDelta’s ongoing credential-theft activity previously documented in Insikt Group’s December 2025 report. During 2025, BlueDelta targeted a limited but distinct set of victims....

A short-lived infostealer campaign active in mid-January 2026 targeted users through spoofed software installers packaged in consistently structured ZIP archives. The operation is identifiable by a unique behavioral hash and abuses a trusted executable to sideload a malicious payload, ultimately executing secondary-stage infostealers....

VoidLink is a sophisticated malware framework composed of custom loaders, implants, rootkits, and modular plugins that enable persistent access to Linux systems. It is built to function reliably in cloud and containerized environments, with a strong focus on long-term operations....

Labs have uncovered a multi-stage malware campaign mainly targeting users in Russia. The attack starts with social engineering via business-themed documents that appear routine and harmless. These files distract victims with fake tasks or status messages while malicious processes run in the background....

DeadLock is a low-profile ransomware discovered in July 2025 that stands out for operating without known affiliates or a data leak site. Despite limited victim visibility, the group employs an unusual technique by abusing Polygon smart contracts to rotate or distribute proxy server addresses, enabling stealthy and decentralized infrastructure management....

Evelyn Stealer is a multistage information-stealing campaign that abuses the Visual Studio Code extension ecosystem to compromise software developers....

We identified phishing emails impersonating financial institutions, framed as alerts about expired W-8BEN tax forms. The attackers rapidly rotate domains to evade detection. Phishing pages use cloaking techniques and remain active only briefly....

UAT-8837 is a China-nexus threat actor assessed with medium confidence to specialize in gaining initial access to high-value organizations, with a clear focus on critical infrastructure targets in North America since at least 2025....

CastleLoader is a stealthy first-stage malware used in attacks against government organizations and various industries. It employs a multi-stage execution chain—Inno Setup, AutoIt, and process hollowing—to bypass security defenses. The final payload is deployed only in memory after process manipulation, evading traditional static detection....

Labs identified a new phishing campaign active in the wild. The attack delivers a new variant of Remcos, a lightweight commercial RAT with extensive capabilities. These include system resource control, remote surveillance, network operations, and agent management. I performed an in-depth analysis of the campaign’s full infection chain....

The Muddy Water APT has launched a spearphishing campaign targeting diplomatic, maritime, financial, and telecom sectors across the Middle East, delivering malicious Word documents with icon spoofing....

In November 2025, three malicious npm packages—bitcoin-main-lib, bitcoin-lib-js, and bip40—were identified. These packages were engineered to deploy a previously unknown remote access trojan (RAT) malware family. The malware, dubbed NodeCordRAT, propagates through npm and leverages Discord servers for command-and-control (C2) communications....

As one of the world’s largest social media platforms, Facebook has over 3 billion active users. This massive user base makes it a prime target for phishing attacks. Attackers seek to hijack accounts to exploit victims and their social networks. Their objective is to steal login credentials for fraud, data theft, or scam distribution....

A multi-stage campaign linked to AsyncRAT abuses trusted infrastructure to evade detection and ensure reliable payload delivery. Threat actors leverage Cloudflare free-tier services and TryCloudflare tunnels to host WebDAV servers, while phishing emails delivered via Dropbox use double-extension files to trick victims....