Threat Research

Detects a suspicious CertReq execution that initiates a file download. This activity is commonly associated with attackers attempting to retrieve additional payloads or configuration files....

A global phishing campaign is targeting the hospitality industry, exploiting compromised Booking.com accounts and WhatsApp messages to defraud hotel customers. The attackers gained access to hotel systems through infostealer malware, stealing credentials for booking platforms like Booking.com and Expedia....

Between June and August 2025, we observed a newly identified threat actor, designated UNK_SmudgedSerpent, conducting targeted operations against academics and foreign policy experts....

On September 8, 2025, a threat actor hijacked the NPM account of developer “qix” (Josh Junon) through a phishing email impersonating NPM Support. After stealing credentials via a fake NPM login page, the attacker injected a JavaScript clipper into 20 popular NPM packages, redirecting cryptocurrency transactions to attacker-controlled wallets....

Silent Lynx is an espionage-driven APT group known for spear-phishing campaigns impersonating government officials to target Central Asian, Russian, and Southeast Asian entities. Recent analysis shows the group’s slow tactical evolution, using fake RAR archives and malicious .NET implants, while making operational errors that exposed new infrastructure....

Our Labs team uncovered a campaign targeting military personnel in Russia and Belarus, particularly the Russian Airborne Forces and Belarusian Special Forces. The infection chain exposes multiple local services via Tor using obfs4 bridges, enabling anonymous communication through onion addresses....

On May 30, 2025, researchers discovered an ELF file “w” from IP 111.119.223.196, linked to the PolarEdge malware family. Analysis revealed a new component, RPX_Client, that connects compromised devices to PolarEdge’s proxy (ORB) network for traffic relaying and remote control. Together with RPX_Server, it forms the backbone of PolarEdge’s relay infrastructure....

Cybercriminals are targeting trucking and freight companies through complex attack chains to steal cargo shipments. Cargo theft has become a multi-million-dollar industry, with digital transformation fueling a surge in cyber-enabled theft. Attackers infiltrate logistics firms and exploit their access to bid on shipments, which they then steal and resell....

Identity compromise remains a major threat to cloud infrastructure, allowing attackers with valid credentials to evade traditional security controls. In AWS, such compromises often involve abuse of the Simple Email Service (SES) for illicit email operations. Recent investigations revealed a campaign where stolen AWS credentials were used to exploit SES....

Monitors for instances where command-line interpreters like cmd.exe or powershell.exe are spawned as child processes of the WSUS service (wsusservice.exe). This behavior strongly indicates potential exploitation of a critical remote code execution vulnerability, such as CVE-2025-59287, where attackers may launch shells to perform reconnaissance or additional malicious actions....

In mid-2025, researchers identified a sophisticated BRONZE BUTLER campaign that leveraged a zero-day vulnerability in Motex LANSCOPE Endpoint Manager to exfiltrate sensitive data....

North Korea-linked Lazarus Group has launched a new wave of Operation DreamJob, targeting European defense companies involved in unmanned aerial vehicle (UAV) development. The campaign uses trojanized open-source GitHub projects and the ScoringMathTea malware to steal proprietary data and manufacturing know-how....

BlueNoroff (also known as APT38, Sapphire Sleet, and TA444) — a financially motivated North Korean threat group — continues its SnatchCrypto operation, targeting blockchain developers and Web3 executives. The group has evolved its tactics with new infiltration methods and malware families....

We have identified a new Windows-based malware family, dubbed Airstalk, which exists in both PowerShell and .NET variants. Our assessment, with medium confidence, suggests that a nation-state threat actor may have deployed this malware as part of a probable supply chain attack. To monitor and analyze related activity, we have established the threat activity cluster CL-STA-1009....

A Vietnam-based threat cluster, tracked as UNC6229, is conducting fake job posting campaigns targeting digital marketing and advertising professionals. The group uses social engineering through legitimate employment platforms and fraudulent recruitment sites to deliver malware or steal credentials....