Threat Research

The Agenda ransomware group, also known as Qilin, has continued to evolve since its emergence in 2022, shifting its ransomware development from Go to Rust and incorporating advanced evasion, propagation, and remote execution capabilities. In a recent campaign, the group deployed SmokeLoader alongside a newly discovered....

We have analyzed multiple recent incidents where threat actors exploited Microsoft Teams to target victims. Posing as the organization’s Help Desk, the attackers initiate contact via Teams messages. They then attempt to persuade users to execute a Trojanized version of the GlobalProtect installer....

Our team has observed a surge in large-scale phishing campaigns written in Japanese, primarily targeting organizations in Japan using a phishing kit known as CoGUI. These campaigns often impersonate well-known consumer and payment brands like Amazon, PayPay, and Rakuten. CoGUI is a stealthy phishing framework designed to evade detection, with Japan being its main focus....

A newly uncovered targeted campaign has revealed the resurgence of the Lampion malware, focusing on Portuguese organizations in the government, finance, and transportation sectors. Active since 2019, Lampion now incorporates ClickFix lures—a social engineering tactic that tricks users into executing malicious commands disguised as system fixes....

Outlaw, also known as "Dota," is a Perl-based crypto-mining botnet targeting Linux systems by exploiting weak or default SSH credentials. While previously observed in honeypots, a recent real-world incident in Brazil highlights its continued effectiveness....

SideWinder APT, active since at least 2012 and likely based in India, targets government, military, and financial institutions in South Asia and the Middle East. The group leverages spear-phishing, social engineering, and zero-day exploits for network infiltration. It uses custom malware and backdoors to maintain persistence and exfiltrate sensitive data....

A new loader has been identified leveraging the Pascal scripting engine in Inno Setup. It is used to distribute infostealers such as LummaC2, DeerStealer, Rhadamanthys, and StealC. Typically spread via fake application websites, the loader features anti-VM capabilities, XOR-based string encryption, and retrieves payloads from TinyURL using an authentication token....

Hannibal Stealer is a newly rebranded and sophisticated malware that has gained traction in the cybercriminal ecosystem. Evolved from earlier variants like Sharp and TX Stealer, it targets web browsers, crypto wallets, and messaging apps, while evading modern security defenses....

The report examines the rapid evolution of the StealC malware, with a focus on version 2 (released in March 2025). Notable upgrades include a streamlined C2 protocol, RC4 encryption, and new payload delivery options such as MSI packages and PowerShell scripts. A revamped control panel enables tailored payload deployment based on geolocation, HWID, and installed software....

Detects the use of the LOLOBIN utility "createdump.exe" for capturing process memory dumps....

Gremlin Stealer is a newly discovered information-stealing malware written in C# and actively promoted on a Telegram group since March 2025. Designed to target Windows systems, it exfiltrates sensitive data—including browser cookies, credit card information, clipboard contents, crypto wallets, FTP, and VPN credentials—and uploads it to a remote server....

Detects the execution of "DumpMinitool.exe," a utility used to capture process memory dumps through the "MiniDumpWriteDump" function....

In March 2025, the PebbleDash backdoor malware, previously linked to the Lazarus group, was observed being distributed in new campaigns targeting individuals. The latest activity includes the use of additional malware and modules alongside PebbleDash to enhance its capabilities....

The Earth Kurma APT campaign targets government and telecommunications sectors in Southeast Asia, particularly in the Philippines, Vietnam, Thailand, and Malaysia. This sophisticated attack uses advanced malware, including custom rootkits and cloud storage for data exfiltration....

Since last year, we have been monitoring a Windows bot malware known as "Blitz." Its infection chain involves multiple stages, including an initial dropper, a downloader, and the main botnet component....