Threat Research

Nation-state adversaries continue to refine their methods to exploit vulnerabilities across diverse operating environments, making defense far more challenging for government entities. Within this landscape, APT36 (Transparent Tribe) stands out as a persistent threat actor focused on India’s governmental and strategic domains....

ScoringMathTea is a newly uncovered C++ Remote Access Trojan used by North Korea’s Lazarus Group in a fresh phase of Operation DreamJob, targeting defense contractors supporting Ukraine to steal sensitive UAV technology....

A compromised site and a lookalike domain worked together to deliver a double-extension RAR file masquerading as a PDF. The payload abused MSC EvilTwin (CVE-2025-26633) to inject code into mmc.exe and trigger hidden PowerShell stages via TaskPad commands. Layered obfuscation, a breached website, and password-protected archives reduced user visibility....

The StopRansomware: Akira Ransomware advisory warns of Akira’s expanding operations, including new activity as of Nov. 13, 2025, targeting Windows, Linux, and virtualization platforms....

Detects the use of the Grixba reconnaissance tool through characteristic command-line patterns. Grixba, employed by the Play ransomware group, supports pre-attack operations such as network scanning, data collection, and clearing of event logs....

In August 2025, researchers discovered a proof-of-concept ransomware named PromptLock, created as part of an academic study on orchestrating ransomware-style attacks with large language models (LLMs)....

At the end of October, during a global AWS connectivity disruption, Labs detected malware known as “ShadowV2” exploiting IoT vulnerabilities to spread. The incidents impacted multiple countries and affected seven different industries. To date, the malware has only been observed operating during the major AWS outage window....

As Black Friday approaches, threat actors are ramping up phishing campaigns that abuse newly registered domains crafted to mimic legitimate shopping sites. These scams often link victims to fraudulent luxury-goods stores designed to steal payment information....

The team investigated a renewed npm-focused compromise known as Shai-Hulud 2.0, first revealed in early November 2025. This campaign is far larger than before, impacting tens of thousands of GitHub repositories, including over 25,000 malicious repos tied to roughly 350 unique users....

RelayNFC is a newly identified and increasingly sophisticated Android malware targeting users in Brazil through phishing campaigns. Designed specifically for NFC relay attacks, it captures victims’ contactless payment card data and relays it in real time to attacker-controlled servers, enabling fraudulent transactions as if the physical card were present....

In August 2025, an intrusion targeting an Asian subsidiary of a major European manufacturer was investigated and assessed as likely carried out by the North Korea–linked group UNC2970, aligning with Operation DreamJob. The attack began with a targeted WhatsApp message to a project engineer and used variants of the BURNBOOK loader and MISTPEN backdoor....

We uncovered multiple malicious files during an investigation into the ShinySp1d3r ransomware, linked to the ShinyHunters group. The ransomware name appears as “ShinySp1d3r” or “Sh1nySp1d3r,” and we track the group as Bling Libra. Several samples contain an embedded URL, likely a placeholder for a future Tor-based leak site....

Since early 2025, China’s presence in the Indo-Pacific has become increasingly assertive. Activities have ranged from heightened maritime tensions to acting as a peacebroker for Myanmar’s junta. More recently, espionage efforts have targeted joint Philippine naval exercises with the US, Australia, Canada, and New Zealand....

PlushDaemon is a China-aligned espionage group active since at least 2018, targeting entities in China, Taiwan, Hong Kong, Cambodia, South Korea, the United States, and New Zealand....

APT24, a PRC-nexus linked threat actor, has been running a long-term cyber-espionage campaign that spans three years and leverages BADAUDIO, a highly obfuscated first-stage downloader used to establish persistent access in victim networks....