Threat Research

ShinyHunters exploited the critical zero-day vulnerability CVE-2026-35273 in Oracle PeopleSoft's Environment Management component to compromise organizations, with a strong focus on the higher education sector....

Since November 2025, the Shai-Hulud V2 campaign has evolved significantly beyond typical software supply chain attacks. Over the last six months, the threat expanded from npm into PyPI and shifted focus from compromised maintainers to CI/CD abuse. The attackers undermined trust in SLSA provenance and OIDC-based publishing workflows without breaking cryptographic guarantees....

A large-scale SEO poisoning campaign is exploiting Azure DNS zone takeovers through abandoned cloud NS delegations. The threat actor hijacked orphaned DNS zones and hosted Thai-language gambling content under the trusted domains of 163 organizations across 30+ countries, including government agencies, healthcare providers, financial institutions, and more....

Threat actors are exploiting growing interest in artificial intelligence by distributing malicious files disguised as AI-related guides and learning materials. The attack uses a complex, multi-stage infection chain with heavily obfuscated scripts and AutoHotkey-based loaders to deploy a .NET RAT and AsyncRAT directly into memory, enabling remote access....

OnionDrop is a sophisticated multi-stage malware loader designed to deliver InfoStealers such as LegionLoader (CurlyGate), CGrabber, and Vidar Stealer at scale....

OP-512 is a newly identified, likely China-linked cyberespionage cluster that targeted a compromised IIS web server to conduct long-term intelligence-gathering operations....

Our investigation of the malicious DurableTask packages revealed a sophisticated multi-stage supply chain attack targeting cloud-native and developer-centric environments....

MLTBackdoor is a newly identified malware family likely associated with ransomware operations and delivered through a multi-stage ClickFix infection chain. The malware provides remote access capabilities such as file upload and download, while also supporting the execution of Beacon Object Files (BOFs) to dynamically extend its functionality....

Mustang Panda campaign that delivers the PlugX RAT through a multi-stage infection chain starting with a malicious LNK file and PowerShell loader. The attack uses DLL sideloading, encrypted shellcode, API hashing, and in-memory execution techniques to evade detection and complicate analysis....

Multiple threat groups, including the Russia-aligned Gamaredon (Earth Dahu) and SHADOW-EARTH-066, continue to exploit CVE-2025-8088, a patched WinRAR path traversal vulnerability, to target Ukrainian organizations....

Between April and May 2026, Threat Research identified a likely North Korean threat actor targeting nearly 100 organizations across finance, cryptocurrency, education, technology, and other sectors. The activity cluster is tracked as UNK_DeadDrop. The phishing campaigns used developer recruitment and code review lures to attract victims....

A critical authentication bypass vulnerability, CVE-2026-50751 (CVSS 9.3), affects Remote Access VPN and Mobile Access deployments that use the deprecated IKEv1 protocol. The flaw allows a remote, unauthenticated attacker to establish a VPN connection without valid credentials by exploiting a weakness in the certificate validation process....

A China-linked cyber-espionage campaign attributed to UNC5221 targeted U.S. law firms and technology organizations. The attackers exploited zero-day vulnerabilities, deployed the BRICKSTORM backdoor, and maintained access for over a year to steal sensitive legal, trade, and national security information....

Operation Dragon Weave is a suspected China-linked cyberespionage campaign targeting government officials and citizens in the Czech Republic and Taiwan through spearphishing emails containing malicious ZIP attachments....

A multi-step ClickFix attack was detected using brand squatting, clipboard decoys, and multi-stage payloads disguised as logs or images. The threat actor registered lirunex[.]tech, mimicking the legitimate payment platform lirnunex.com, and launched an evasive attack....