Threat Research

A malware campaign used a fake Adobe Acrobat Reader download to trick users into installing the legitimate ScreenConnect remote access tool for malicious purposes. The attack chain relies on heavy obfuscation and fileless techniques, including VBScript loaders, .NET reflection, and in-memory execution, to evade detection....

BlankGrabber is a Python-based information stealer designed to extract sensitive data such as browser credentials, session tokens, and system details. Discovered in 2023 by security researchers, it is known for its modular design and fast evolution to evade detection. The malware is commonly spread through social engineering and phishing campaigns....

Active phishing kit impersonates a national postal service e-commerce platform, mimicking four storefronts (unifone, masterfone, newphone, dogabilisim). We call this kit “Montana Empire,” based on a phrase found in its admin panel....

A threat cluster tracked as UAT-10362 APT is conducting spear-phishing campaigns targeting Taiwanese NGOs and academic institutions, delivering a newly identified malware family called LucidRook. The malware uses a DLL-based stager embedding Lua and Rust components to execute staged payloads, with region-specific checks to target Traditional Chinese environments....

SURXRAT abuses Android accessibility services to perform malicious actions such as keylogging, screen capture, and OTP interception. By using legitimate cloud services, the malware blends in with normal traffic, making detection more difficult. SURXRAT can remotely execute commands, exfiltrate sensitive data, and maintain persistent access to infected devices....

Masjesu is a commercially operated IoT botnet active since 2023, offering DDoS-for-hire services through Telegram. It targets a wide range of routers and embedded devices across multiple architectures, using vulnerability exploitation and scanning for propagation....

Iran-linked advanced persistent threat (APT) actors are exploiting internet-facing operational technology (OT) devices, including Rockwell/Allen-Bradley PLCs. Their actions have disrupted PLC operations across multiple U.S. critical infrastructure sectors. Attacks involve tampering with project files and altering data on HMI and SCADA systems....

A newly identified malware called CrystalX is being distributed as malware-as-a-service (MaaS) through private Telegram channels, offering multiple subscription tiers to cybercriminals....

Researchers uncovered an Android rootkit campaign called Operation Novoice targeting older vulnerabilities (2016–2021). Devices with security patches from May 2021 onward are protected from known exploits. However, even patched devices may have been exposed to unknown payloads via malicious apps. These apps, disguised as tools or games on Google Play, appeared normal to users....

Endpoint Detection and Response (EDR) tools are more advanced than traditional antivirus and are widely used today. Attackers deploy EDR killers to bypass or disable these defenses, limiting visibility into system activity. As detection improves, attackers increasingly target security layers early in the attack lifecycle....

Following the accidental leak of Anthropic’s Claude Code, threat actors quickly exploited the incident by creating fake “leaked” repositories to distribute malware such as Vidar stealer and GhostSocks....

Oblivion Android RAT uses social engineering and fake update screens to trick users into installing a malicious app. It heavily abuses Android’s Accessibility Service to gain full control of the device and silently grant permissions. Once active, the malware can intercept SMS messages and OTP/2FA codes, log keystrokes, and monitor notifications....

Labs recently identified a wave of LNK file attacks targeting users in South Korea. These campaigns use multi-stage scripts and rely on GitHub as C2 infrastructure to avoid detection. While similar LNK files date back to 2024, earlier versions were less obfuscated and easier to trace, linking them to XenoRAT distribution....

In March 2026, Anthropic accidentally exposed the full source code of its Claude Code AI agent through a misconfigured npm package that included a large JavaScript source map file. The leak revealed hundreds of thousands of lines of unobfuscated code, exposing internal architecture, agent orchestration logic, and security-related components....

Axios, a popular JavaScript HTTP client with massive weekly downloads, was compromised after an attacker took over the lead maintainer’s npm account. They released two malicious versions (1.14.1 and 0.30.4) embedding a cross-platform remote access trojan (RAT)....