Threat Research

A new cyber-espionage campaign dubbed Operation BarrelFire has been uncovered, attributed to a newly tracked threat group named Noisy Bear. Active since April 2025, Noisy Bear has primarily targeted entities in Kazakhstan's Oil and Gas sector, including KazMunaiGas (KMG). The attack begins with a phishing email containing a ZIP file disguised as an internal KMG document....

We’ve identified an SMS phishing (smishing) campaign posing as the California Franchise Tax Board. The fraudulent websites use domain names that combine terms like “FTB,” “CA,” and “gov” to deceive users. These sites falsely promise tax refunds, but their true purpose is to harvest sensitive personal information, including Social Security numbers, addresses, and payment details...

A surge in active exploitation is targeting newly revealed vulnerabilities in Microsoft SharePoint Server (CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771)....

Research has uncovered an AMOS (Atomic macOS Stealer) campaign targeting macOS users by disguising malware as “cracked” apps and tricking users into running malicious Terminal commands to bypass Gatekeeper....

A ViewState deserialization vulnerability impacted Sitecore deployments that used a sample machine key published in Sitecore’s deployment guides prior to 2017. Attackers exploited this exposed ASP.NET machine key to achieve remote code execution. The team collaborated directly with Sitecore to resolve the issue....

The XWorm backdoor campaign has shifted from predictable delivery methods to more sophisticated, deceptive techniques. While it still uses phishing emails and .lnk files for initial access, it now disguises malicious executables with legitimate-looking names like 'discord.exe'....

The team identified threat actor activity exploiting the Salesloft-Drift integration to breach Salesforce instances. From August 8–18, 2025, compromised OAuth credentials were used to exfiltrate sensitive Salesforce data. The actor targeted objects like Account, Contact, Case, and Opportunity, and scanned for credentials post-exfiltration....

Our team discovered an Android malware, “SikkahBot,” active since July 2024, targeting students in Bangladesh. Disguised as apps from the Bangladesh Education Board, it lures users with fake scholarships to steal sensitive data....

We identified an email campaign promoting fake luxury shopping sites via enticing subject lines and links. The sites mimic legitimate stores, redirect to PayPal for payment, and show deep discounts on luxury items. Domains are tied to malicious IPs, mostly in Vietnam (AS 149137, AS 149123, AS 149125), and hosted via US-based cloud providers....

The TAOTH campaign exploited an abandoned Sogou Zhuyin IME update server and spear-phishing to deliver malware like TOSHIS, C6DOOR, DESFY, and GTELAM. Targeting users across Eastern Asia—especially Traditional Chinese speakers—it focused on high-value individuals such as dissidents, journalists, and tech leaders....

Chinese state-sponsored APT (Advanced Persistent Threat) actors are conducting global cyber espionage operations targeting key infrastructure sectors such as telecommunications, government, transportation, and military networks....

A recent phishing campaign is targeting companies through emails containing malicious URLs that lead to spoofed websites tailored to the recipient’s email domain. These convincing sites trick users into downloading JavaScript files that act as droppers for UpCrypter malware....

QuirkyLoader is a newly observed malware loader, active since November 2024, used to deliver various infostealers and remote access trojans (RATs) like Agent Tesla, AsyncRAT, FormBook, Remcos, and others. The infection begins with phishing emails containing malicious archives. These archives include a legitimate executable, an encrypted payload, and a malicious DLL....

In March 2025, Intelligence Group uncovered a PRC-linked UNC6384 campaign targeting diplomats in Southeast Asia, aligning with China's cyber espionage goals. The threat actor hijacked captive portals to deliver a signed downloader, STATICPLUGIN, which deployed the PlugX backdoor in memory....

The Resurgence of IoT Malware: Inside the Mirai-Based 'Gayfemboy' Botnet Campaign explores a stealthy and evolving malware strain named "Gayfemboy," initially discovered by a Chinese cybersecurity firm. Over the past year, the malware resurfaced with renewed activity in July, targeting vulnerabilities in IoT devices from vendors like DrayTek, TP-Link, Raisecom, and Cisco....