Threat Research

BRICKSTORM is an advanced backdoor targeting VMware vSphere, including vCenter servers and ESXi, as well as Windows systems. The actors specifically focused on compromising VMware vSphere platforms. After gaining access, they used the vCenter console to steal VM snapshots for credential harvesting and to create hidden rogue VMs....

CVE-2025-55182 is a critical prototype-pollution vulnerability affecting React Server Components (RSC) and Next.js Server Actions. Attackers can inject special object-manipulation properties—such as __proto__ or constructor—into RSC headers, parameters, or JSON request bodies....

Despite U.S. sanctions, Intellexa continues selling its Predator spyware and remains one of the most aggressive exploit operators, rapidly developing or acquiring mobile zero-days....

eBPF is a modern kernel technology that allows small, sandboxed programs to run inside the Linux kernel to inspect or modify system activity. Introduced in 2015, it replaced the older 1992 BPF model, which no longer fit contemporary architectures like 64-bit systems....

An active Linux-targeting campaign is deploying a Mirai-derived botnet called V3G4, now enhanced with a stealthy, fileless-configured XMRig Monero cryptominer....

The Water Saci campaign in Brazil employs a heavily layered attack chain using multiple file formats—HTA, ZIP, and PDF—to evade simple detection and complicate analysis. Recently, attackers shifted from PowerShell to a Python-based propagation routine, enabling broader browser compatibility, improved error handling, and faster automated malware delivery through WhatsApp Web....

Nation-state adversaries continue to refine their methods to exploit vulnerabilities across diverse operating environments, making defense far more challenging for government entities. Within this landscape, APT36 (Transparent Tribe) stands out as a persistent threat actor focused on India’s governmental and strategic domains....

ScoringMathTea is a newly uncovered C++ Remote Access Trojan used by North Korea’s Lazarus Group in a fresh phase of Operation DreamJob, targeting defense contractors supporting Ukraine to steal sensitive UAV technology....

A compromised site and a lookalike domain worked together to deliver a double-extension RAR file masquerading as a PDF. The payload abused MSC EvilTwin (CVE-2025-26633) to inject code into mmc.exe and trigger hidden PowerShell stages via TaskPad commands. Layered obfuscation, a breached website, and password-protected archives reduced user visibility....

The StopRansomware: Akira Ransomware advisory warns of Akira’s expanding operations, including new activity as of Nov. 13, 2025, targeting Windows, Linux, and virtualization platforms....

Detects the use of the Grixba reconnaissance tool through characteristic command-line patterns. Grixba, employed by the Play ransomware group, supports pre-attack operations such as network scanning, data collection, and clearing of event logs....

In August 2025, researchers discovered a proof-of-concept ransomware named PromptLock, created as part of an academic study on orchestrating ransomware-style attacks with large language models (LLMs)....

At the end of October, during a global AWS connectivity disruption, Labs detected malware known as “ShadowV2” exploiting IoT vulnerabilities to spread. The incidents impacted multiple countries and affected seven different industries. To date, the malware has only been observed operating during the major AWS outage window....

As Black Friday approaches, threat actors are ramping up phishing campaigns that abuse newly registered domains crafted to mimic legitimate shopping sites. These scams often link victims to fraudulent luxury-goods stores designed to steal payment information....

The team investigated a renewed npm-focused compromise known as Shai-Hulud 2.0, first revealed in early November 2025. This campaign is far larger than before, impacting tens of thousands of GitHub repositories, including over 25,000 malicious repos tied to roughly 350 unique users....