Threat Research

    UAT-11795 is a Russian-speaking, financially motivated threat actor targeting users primarily in the United States, with additional victims observed in Germany, Romania, and Venezuela....
    Since late March 2026, researchers have observed large-scale phishing campaigns that use fileless techniques and Lua-based loaders with low detection rates to deliver malware such as Agent Tesla, Remcos, XWorm, and Best Private LOGGER. The attackers impersonate well-known companies and pose as potential business partners to trick victims into opening malicious files....
    This campaign highlights the continued evolution of phishing attacks through the use of malicious VHDX images, DLL sideloading, in-memory shellcode execution, and layered anti-analysis techniques to evade traditional detection....
    Threat actors compromised multiple AsyncAPI npm packages by injecting a malicious import-time loader that executed automatically when affected packages were imported, bypassing mitigations such as npm install --ignore-scripts....
    Researchers analyzed TelePuz, a modular Malware-as-a-Service (MaaS) framework distributed through ClickFix social engineering campaigns that trick users into executing malicious commands. The malware employs a multi-stage infection chain with obfuscated loaders, dynamic payload delivery, and anti-analysis techniques to deploy additional malware modules....
    In January 2026, multiple attacks were detected using unknown malware to steal cryptocurrency wallet data. Investigators reconstructed a complex, four-stage infection chain linked to a malicious PowerShell script. This campaign stands out by using a new framework to deliver and orchestrate all malicious modules....
    Scammers are selling fake Celine Dion Paris concert tickets across social media. They exploit Ticketmaster’s official transfer feature to resell the same tickets indefinitely. Fraudsters are creating lookalike websites that mimic legitimate ticket distributors. These fake sites abuse Shopify’s payment infrastructure via a recycled scam kit....
    Researchers identified an infostealer infection led to the theft of WordPress credentials, enabling attackers to launch a sophisticated ClickFix campaign. The attack leveraged EtherHiding, PowerShell, DLL sideloading, and in-memory execution to deploy a multi-stage RAT....
    A suspected China-linked threat actor used the TencShell backdoor alongside Claude Code and DeepSeek-v4-pro to automate cyberespionage operations targeting government and financial systems....
    Our investigation began with a malicious Go module masquerading as a DNS/subdomain scanner. The module exposed a Windows malware chain using hidden PowerShell and dead-drop resolution. Pivoting revealed a larger GitHub lure network of 222 repositories across 190 accounts. We track this campaign as "Operation Muck and Load" based on its infrastructure and behavior....
    Threat actors compromised legitimate WordPress websites to inject ClickFix JavaScript that delivers malware to unsuspecting visitors. Rather than hardcoding command-and-control infrastructure, the script dynamically retrieves its configuration from a Polygon blockchain smart contract, allowing attackers to rotate infrastructure without modifying compromised sites....
    Researchers identified a malicious NuGet supply-chain campaign using Braintree.Net, a typosquat of the legitimate Braintree payment SDK. The package silently intercepts live payment-card data, steals Braintree merchant API credentials, and harvests environment, configuration, and cloud-related secrets while allowing normal payment operations to continue....
    A supply-chain attack compromised the Jscrambler npm package, introducing trojanized versions that executed a hidden cross-platform credential-stealing payload on Windows, Linux, and macOS. The malware targeted cloud credentials (AWS, Azure, GCP), developer secrets, CI/CD environments, cryptocurrency wallets, browser data, and AI/MCP configuration files....
    GigaWiper is a sophisticated Golang-based backdoor that combines advanced command-and-control capabilities with multiple destructive functions, including disk wiping, fake ransomware, and system sabotage. The malware integrates features from several destructive malware families, enabling threat actors to selectively deploy payloads through a single modular platform....
    Between 2024 and 2026, suspected China- and India-nexus threat actors targeted Pakistani law enforcement agencies. Attackers deployed malware like PlugX, ShadowPad, Cobalt Strike, and Remcos against Balochistan Police assets. Compromised systems included servers managing biometric data, national identity-linked registrations, and criminal records....
    Looking for Something?
    Threat Research Categories:
    Tags