Threat Research

Multiple threat groups, including the Russia-aligned Gamaredon (Earth Dahu) and SHADOW-EARTH-066, continue to exploit CVE-2025-8088, a patched WinRAR path traversal vulnerability, to target Ukrainian organizations....

Between April and May 2026, Threat Research identified a likely North Korean threat actor targeting nearly 100 organizations across finance, cryptocurrency, education, technology, and other sectors. The activity cluster is tracked as UNK_DeadDrop. The phishing campaigns used developer recruitment and code review lures to attract victims....

A critical authentication bypass vulnerability, CVE-2026-50751 (CVSS 9.3), affects Remote Access VPN and Mobile Access deployments that use the deprecated IKEv1 protocol. The flaw allows a remote, unauthenticated attacker to establish a VPN connection without valid credentials by exploiting a weakness in the certificate validation process....

A China-linked cyber-espionage campaign attributed to UNC5221 targeted U.S. law firms and technology organizations. The attackers exploited zero-day vulnerabilities, deployed the BRICKSTORM backdoor, and maintained access for over a year to steal sensitive legal, trade, and national security information....

Operation Dragon Weave is a suspected China-linked cyberespionage campaign targeting government officials and citizens in the Czech Republic and Taiwan through spearphishing emails containing malicious ZIP attachments....

A multi-step ClickFix attack was detected using brand squatting, clipboard decoys, and multi-stage payloads disguised as logs or images. The threat actor registered lirunex[.]tech, mimicking the legitimate payment platform lirnunex.com, and launched an evasive attack....

In March and April 2026, threat actor TA4922 significantly increased its operational tempo. The team identified a series of campaigns demonstrating a major evolution in the actor's malware tooling. The attacker relied primarily on human resources and business-themed lures to target victims....

A large-scale software supply chain campaign dubbed Megalodon leveraged malicious GitHub Actions workflow modifications to steal sensitive credentials from affected repositories. Analysis revealed credential harvesting capabilities targeting GitHub tokens, cloud credentials, API keys, database secrets, and private keys....

WeedHack is a large-scale Malware-as-a-Service (MaaS) operation that targets Minecraft players through trojanized mods, clients, and cheats distributed via SEO poisoning, YouTube videos, and malicious websites....

The threat actor gains initial access through vishing attacks, impersonating internal IT staff to trick victims into entering their credentials and MFA codes on phishing pages. Once access is obtained, the actor quickly identifies and exfiltrates sensitive data from cloud services such as SharePoint and OneDrive, a tactic commonly observed among Com-affiliated groups....

Argamal is a newly identified malware family distributed through infected hentai games hosted on file-sharing platforms. Once a victim launches the game, a malicious implant is installed and later downloads additional Trojan payloads, enabling full system compromise and remote control by attackers....

In March, Labs identified a new Gafgyt botnet variant called C0XMO that spreads by exploiting CVE-2021-27137. Unlike earlier variants, C0XMO uses a separate Python script for lateral movement, improving propagation across different devices and architectures....

This research analyzes a ClickFix campaign leveraging the spoofed licensing-themed website canndelta.com to deliver the PureLogs stealer through malicious PowerShell commands. The attack uses Donut shellcode, fileless execution, RWX memory allocation, and in-memory .NET assembly loading to evade detection....

Hackers are increasingly abusing trusted platforms like YouTube and search engines to distribute malware. A newly uncovered campaign called "WeedHack" specifically targets Minecraft's massive player base. Minecraft's open ecosystem of mods and custom clients makes it a prime target for cybercriminals....

Operation FlutterBridge is a large-scale malvertising campaign targeting macOS users through malicious Google advertisements that distribute FlutterShell, a Flutter-based malware with both adware and backdoor capabilities....