Threat Research

The Chrome extension “Chrome MCP Server - AI Browser Control” operates as a browser-based Remote Access Trojan (RAT). It is disguised as an AI automation tool and falsely claims that all processing is 100% local. Once enabled, it connects via WebSocket to a live C2 server....

The report highlights a rise in model extraction (“distillation”) attacks aimed at stealing proprietary AI logic, alongside the growing integration of generative AI into real-world threat operations....

XWorm v7 RAT is a modular, malware-as-a-service Remote Access Trojan active since 2022, widely adopted by cybercriminals for its ease of deployment and extensive post-compromise capabilities....

GuLoader (also known as CloudEye) is a highly obfuscated malware family first identified in December 2019. It primarily functions as a downloader for Remote Access Trojans (RATs) and information stealers. Threat actors often host its payloads on legitimate platforms like Google Drive and OneDrive to evade detection....

XWorm is a multi-functional Remote Access Trojan (RAT) first identified in 2022 and still actively distributed, including via Telegram marketplaces. Once installed, it grants attackers full remote control over compromised Windows systems. This campaign uses phishing emails with social engineering tactics to trick recipients into opening a malicious attachment....

A Peek Into Muddled Libra’s Operational Playbook examines a September 2025 intrusion in which the cybercrime group Muddled Libra (aka Scattered Spider/UNC3944) deployed a rogue VM after compromising a VMware vSphere environment....

North Korean threat actors continue to refine their tactics to target cryptocurrency and DeFi organizations. A recent investigation examined an intrusion against a FinTech entity in this sector. The activity was attributed to UNC1069, a financially motivated threat actor active since at least 2018....

Stan Ghouls (also known as Bloody Wolf) is a cybercriminal group active since at least 2023, conducting highly targeted campaigns primarily against manufacturing, finance, and IT organizations across Russia and Central Asia....

Knife Cutting the Edge details DKnife, a China-nexus, Linux-based adversary-in-the-middle (AitM) gateway framework active since at least 2019 that compromises routers and edge devices to inspect and manipulate network traffic and deliver malware....

The Threat Analysis reports examine emerging threats and offer practical guidance for mitigating them. In this report, Security Services analyzes a fake installer attack recently observed multiple times. The investigation uncovered findings not previously documented and revealed new threat intelligence....

The Shadow Campaigns reveal a highly sophisticated, state-aligned cyberespionage group tracked as TGR-STA-1030, assessed to operate out of Asia and responsible for extensive compromises of government and critical infrastructure organizations worldwide....

Labz identified Marco Stealer in June 2025 as an information stealer targeting browser data, crypto wallets, and sensitive local and cloud files. It profiles infected systems by collecting hardware IDs, OS versions, IP addresses, and geolocation details. The malware uses named pipes to coordinate communication between its internal components....

APT28, a Russian state-sponsored threat group also known as Fancy Bear or UAC-0001, is conducting a sophisticated espionage campaign against European military and government entities. The operation primarily targets maritime and transportation organizations in Poland, Slovenia, Turkey, Greece, the UAE, and Ukraine....

Rublevka Team is a large-scale, affiliate-driven crypto-theft operation active since 2023 that has generated over $10 million by luring victims with fake promotions or airdrops and tricking them into signing wallet-draining transactions....

The Notepad++ supply chain attack exploited a compromised update infrastructure to deliver malicious updates through multiple, constantly rotating execution chains, C2 servers, and payloads....