Threat Research

Ashen Lepus (aka WIRTE), an APT linked to Hamas-affiliated interests, has conducted a long-running espionage campaign against governmental and diplomatic organizations across the Middle East....

During October and November 2025, a series of campaigns targeting the energy, defense, pharmaceutical, and cybersecurity sectors displayed traits consistent with earlier operations linked to Void Rabisu (also known as ROMCOM, Tropical Scorpius, or Storm-0978)....

A financially motivated threat actor deploying DeadLock ransomware has adopted new tactics, including a previously unknown BYOVD loader that exploits Baidu Antivirus driver vulnerability CVE-2024-51324 to disable EDR protections....

In June 2025, we identified a new ransomware family called 01flip targeting a small set of victims in the Asia-Pacific region. Written entirely in Rust, it leverages cross-compilation to support multiple platforms. The attackers appear to be financially motivated and likely executed the operation manually....

We identified a new social-engineering tactic employed by the Belarusian threat actor White Lynx (also known as Ghostwriter, Storm-0257, UNC1151). The method relies on a malicious macro embedded in a Word document designed to evade detection and analysis. Once macros are enabled, the user is presented with a fake CAPTCHA window prompting them to validate a six-character string....

A critical React Server Components vulnerability, CVE-2025-55182, allows unauthenticated remote code execution and has already been exploited in the wild. Attackers have conducted automated scanning, reconnaissance, credential theft, and deployed malicious scripts, droppers, and reverse shells, including activity linked to a PRC-associated access broker....

ClickFix is a social-engineering technique that tricks users into pasting malicious scripts—often injected into the clipboard through pastejacking—into terminals or run windows, leading to system compromise. Since September 2025, detections have surged to over 200 compromised sites daily, driven by lures that mimic Google’s “Aw Snap!” error or fake browser update pages....

UDPGangster is a UDP-based backdoor linked to the MuddyWater threat group, active in cyber-espionage across the Middle East. It enables remote control of infected systems, supporting command execution, file exfiltration, and payload delivery over stealthy UDP channels. Recent campaigns have targeted users in Turkey, Israel, and Azerbaijan....

WARP PANDA is a newly identified, highly advanced China-nexus threat actor targeting VMware vCenter and ESXi environments across U.S. organizations in 2025. The group demonstrates strong technical skill, exceptional OPSEC, and deep expertise in cloud and virtualized systems....

BRICKSTORM is an advanced backdoor targeting VMware vSphere, including vCenter servers and ESXi, as well as Windows systems. The actors specifically focused on compromising VMware vSphere platforms. After gaining access, they used the vCenter console to steal VM snapshots for credential harvesting and to create hidden rogue VMs....

CVE-2025-55182 is a critical prototype-pollution vulnerability affecting React Server Components (RSC) and Next.js Server Actions. Attackers can inject special object-manipulation properties—such as __proto__ or constructor—into RSC headers, parameters, or JSON request bodies....

Despite U.S. sanctions, Intellexa continues selling its Predator spyware and remains one of the most aggressive exploit operators, rapidly developing or acquiring mobile zero-days....

eBPF is a modern kernel technology that allows small, sandboxed programs to run inside the Linux kernel to inspect or modify system activity. Introduced in 2015, it replaced the older 1992 BPF model, which no longer fit contemporary architectures like 64-bit systems....

An active Linux-targeting campaign is deploying a Mirai-derived botnet called V3G4, now enhanced with a stealthy, fileless-configured XMRig Monero cryptominer....

The Water Saci campaign in Brazil employs a heavily layered attack chain using multiple file formats—HTA, ZIP, and PDF—to evade simple detection and complicate analysis. Recently, attackers shifted from PowerShell to a Python-based propagation routine, enabling broader browser compatibility, improved error handling, and faster automated malware delivery through WhatsApp Web....