Threat Research

In 2023, "ToyMaker," an initial access broker (IAB), was discovered working with double extortion gangs. Believed to be financially motivated, ToyMaker exploits internet-exposed vulnerabilities to deploy a custom backdoor called "LAGTOY" on victim systems, allowing access and credential extraction. LAGTOY enables reverse shells and command execution....

Lumma Stealer, first detected in 2022, remains a persistent and evolving threat, frequently adapting its tactics, techniques, and procedures (TTPs) to match emerging trends. Distributed via a subscription-based Malware-as-a-Service (MaaS) model on the dark web, Lumma is built to evade detection by identifying virtual and sandbox environments....

Since January 2025, several domains have been observed engaging in scanning activity leveraging DNS tunneling techniques. These domains target DNS resolvers hosted on public IPv4 and IPv6 addresses. To evade source IP-based access controls, the attacker spoofs the source IP to appear as an adjacent destination address....

Multiple Russian IP address ranges—masked through VPNs, proxy servers, and VPS infrastructure—are being used in cybercrime operations aligned with North Korea's Void Dokkaebi group (also known as Famous Chollima). These IPs are linked to companies near the North Korea-Russia border and support IT workers operating from countries like China, Russia, and Pakistan....

Detects suspicious command shell execution (cmd.exe) initiated by w3wp.exe, potentially linked to the exploitation of CentreStack’s portal.config—indicative of CVE-2025-30406 activity....

We observed a phishing campaign in the wild distributing a malicious Word document attachment crafted to exploit the CVE-2017-11882 vulnerability. Upon deeper analysis, we identified that the campaign was delivering a new variant of Formbook malware....

A newly identified botnet called RustoBot is spreading through TOTOLINK routers using Rust, a programming language known for its speed and security. RustoBot exploits command injection vulnerabilities in the cstecgi.cgi script, including CVE-2022-26210 and CVE-2022-26187, to achieve remote code execution....

Identifies unusual child processes initiated by the CrushFTP service, potentially signaling exploitation of remote code execution flaws like CVE-2025-31161, which allows RCE via crafted HTTP requests. The detection targets frequently misused Windows executables (e.g., powershell.exe, cmd.exe) often leveraged by attackers for executing malicious commands after gaining access....

FOG ransomware is being spread by cybercriminals claiming ties to the Department of Government Efficiency (DOGE). Nine samples with the ".flocked" extension were found, dropping notes urging further spread and referencing DOGE and an FBI-related incident....

In December 2024, we identified a multi-stage attack chain used to deliver malware such as Agent Tesla variants, Remcos RAT, and XLoader. Attackers are increasingly adopting layered delivery tactics to bypass detection tools and traditional sandboxes. The phishing campaign we examined disguised itself as an order release request, delivering a malicious attachment....

Mustang Panda continues to develop custom tools for targeted attacks. They use PAKLOG and CorKLOG keyloggers—PAKLOG obfuscates data with custom encoding, while CorKLOG encrypts logs using a 48-character RC4 key. Persistence is achieved via services and scheduled tasks....

Slow Pisces (aka Jade Sleet, TraderTraitor, PUKCHONG) is a North Korean threat group focused on funding the DPRK through crypto-targeted attacks. In a recent campaign, the group posed as employers on LinkedIn, targeting cryptocurrency developers. They sent malware-laced coding challenges that infected victims' systems....

Since mid-October 2024, ongoing smishing campaigns have impersonated U.S. toll road payment services like E-ZPass in an effort to commit financial fraud....

We've observed multiple newly registered domains containing the term "nintendo," emerging shortly after the announcement of the Switch 2 console. These domains are linked to phishing websites and monetized parking pages. The phishing sites mimic Nintendo’s branding, including logos and character imagery, to deceive users....

In late January 2025, a Managed Service Provider (MSP) administrator received a convincing phishing email disguised as an authentication alert for their ScreenConnect Remote Monitoring and Management (RMM) tool....