Threat Research

    We are tracking a 28-day Malware-as-a-Service (MaaS) campaign abusing the Polygon blockchain for resilient C2 configuration. The attack utilizes a ClickFix lure, with over 130 compromised websites detected so far. Injected with a "JokerStat Analytics Tracker" script, compromised sites exfiltrate screenshots and session telemetry every 2 minutes....
    Just as human users can be socially engineered through phishing, AI agents are also susceptible to similar attacks. Threat actors are leveraging Indirect Prompt Injection (IPI) to embed hidden malicious instructions into websites, including those impersonating payment services and cryptocurrency platforms, to manipulate AI agents during task execution....
    In May 2026, Threat Labs detected an Ousaban banking Trojan campaign targeting Spain and Portugal. The malware, historically active in Brazil, is delivered using a malicious MSI downloader. Phishing PDFs trick victims into visiting a webpage that scans their geographic location. If the user is in the target region, the site downloads an initial VBS script....
    ARToken is a sophisticated Phishing-as-a-Service (PhaaS) platform closely linked to the EvilTokens ecosystem, providing affiliates with a comprehensive toolkit for Microsoft 365 account compromise....
    A malicious campaign is distributing a fake Google Notes browser extension that silently steals cryptocurrency by replacing copied wallet addresses with attacker-controlled ones during transactions....
    A scam campaign is using 2026 FIFA World Cup "Champion Reward" survey lures to steal PII and payment card details. The phishing emails are sent from `adfluxi[.]com`, pass authentication, and have no official affiliation with FIFA. Malicious URLs detect sandboxes and non-US visitors, actively redirecting them to harmless decoy sites....
    The Gentlemen emerged as a prominent Ransomware-as-a-Service (RaaS) group, significantly expanding its operations in early 2026 and ranking among the top ransomware actors by victim disclosures on its Data Leak Site (DLS)....
    Attackers are targeting Booking.com partner hotels in Japan using phishing emails. Phishing lures impersonate guest complaints and review requests to trick staff. Delivery methods include bulk phishing and interactive, trust-building Gmail chats. Victims are tricked into executing a malicious file containing "TONResolver" malware....
    Suspicious Bitsadmin File Download via Untrusted Domain....
    Researchers actively track and analyze threat actors and their campaigns, with a focus on attribution, infrastructure analysis, and adversary tradecraft. During our latest investigation, we identified a campaign exhibiting operational and technical characteristics consistent with a China-nexus threat cluster....
    Backdoor.Mistic is a stealthy backdoor observed in cybercrime intrusions since April 2026 and is suspected to be linked to the Woodgnat (KongTuke) initial access broker. Using DLL sideloading, fileless in-memory execution, and self-deletion capabilities, it establishes long-term covert access while evading detection....
    Throughout 2025, Chinese-speaking threat group CL-STA-1062 targeted Southeast Asian government entities and critical energy infrastructure. The attackers have been active since at least March 2022, demonstrating a long-term regional focus. High-confidence assessments link this group to UAT-7237, which attacked Taiwanese web hosting infrastructure in mid-2025....
    Russia-aligned APT group Gamaredon maintained an aggressive cyberespionage campaign throughout 2025, targeting Ukrainian government and military organizations with large-scale spearphishing attacks and new PowerShell-based malware....
    Software supply-chain attacks have evolved from isolated package compromises into sophisticated campaigns targeting developer ecosystems through credential theft, repository compromise, and CI/CD abuse. The Shai-Hulud activity cluster and its evolution into Mini Shai-Hulud demonstrate this shift, culminating in the modular Miasma framework for multi-ecosystem propagation....
    In early 2026, the team uncovered a threat actor targeting a service provider's SD-WAN infrastructure. After securing initial access, the actor exploited a zero-day vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN—specifically leveraging an unfiltered file upload feature to escalate privileges from an administrative account to root level....
    Looking for Something?
    Threat Research Categories:
    Tags