Threat Research

Researchers uncovered multiple cyber-espionage campaigns targeting a Southeast Asian government organization. The investigation traced Stately Taurus activity (June–Aug 2025), involving USB-spread USBFect (HIUPAN) malware deploying a PUBLOAD backdoor....

A supply chain attack compromised the LiteLLM AI proxy package on PyPI, with malicious versions delivering a multi-stage payload that harvested credentials, enabled Kubernetes lateral movement, and established persistent backdoor access for remote code execution....

A stealthy malware campaign is abusing digitally signed remote monitoring and management (RMM) tools to gain persistent access and evade detection. The attack leverages legitimate file-hosting updater mechanisms to execute cloud-syncing processes, enabling disguised traffic and potential data exfiltration....

Pawn Storm, a Russia-aligned APT group, is targeting Ukraine’s defense supply chain and allied nations. It deploys PRISMEX, a modular malware suite using steganography, COM hijacking, and cloud-based C2. The group exploited multiple flaws, including a Windows zero-day (CVE-2026-21513). Malicious .lnk files via CVE-2026-21509 may chain with CVE-2026-21513, per Akamai findings....

An active phishing campaign is impersonating a cloud file storage service and major e-signature platforms. Instead of stealing passwords, it exploits Microsoft’s legitimate Device Code OAuth flow. Victims are tricked into entering a verification code on Microsoft’s real login page. The attacker intercepts OAuth tokens, gaining persistent access to accounts and data....

A targeted campaign is using phishing emails with fake resume (CV) attachments to infect French-speaking corporate environments with heavily obfuscated VBScript malware....

AVrecon malware has been used to compromise routers and IoT devices across more than 160 countries, enabling threat actors to convert infected systems into residential proxies. These compromised devices were sold through the SocksEscort service, which facilitated access to hundreds of thousands of infected endpoints since 2020....

Researchers are tracking ongoing Contagious Interview campaign activity by NICKEL ALLEY, a North Korea–linked threat group. The group targets tech professionals using fake job postings and deceptive interview processes. Victims are tricked into downloading malware during these staged recruitment steps....

A large-scale malware campaign leveraged AI-driven “vibe coding” to generate malicious code components, lowering the barrier for threat actors to create and distribute malware. The campaign used hundreds of malicious ZIP files impersonating popular software—such as AI tools, game mods, and utilities—to deliver multiple variants of the WinUpdateHelper.dll payload....

UNC2814 is a PRC-aligned cyber espionage group active since at least 2017. It targets telecom and government sectors to steal communications intelligence and PII. The group has operated in 42 confirmed countries and over 70 suspected across multiple regions Africa, Asia, and the Americas....

In late February 2026, analysts detected malicious activity on Android devices linked to the Keenadu backdoor. Keenadu is a firmware-level infection embedded in libandroid_runtime.so, injecting itself into the Zygote process. Since Zygote spawns all apps, this gives attackers near-total control over infected devices....

EDR killers have become a standard component of modern ransomware attacks, used by affiliates to disable security tools before deploying encryption payloads. While the BYOVD technique remains common, attackers increasingly adopt driverless methods, legitimate utilities, and customizable kits to evade detection....

In December 2025, Labz discovered a new C2 implant called SnappyClient, delivered via HijackLoader. SnappyClient is a C++-based malware that enables remote access and extensive data theft. Its capabilities include keylogging, screenshots, remote terminal access, and stealing data from browsers and applications....

DarkSword is a sophisticated iOS full-chain exploit leveraging multiple zero-day vulnerabilities to fully compromise devices running iOS 18.4 to 18.7. Since late 2025, it has been used by commercial surveillance vendors and state-sponsored actors across campaigns targeting regions including Saudi Arabia, Turkey, Malaysia, and Ukraine....

A financially motivated threat group tracked as Hive0163 has been observed using a likely AI-generated malware called Slopoly during ransomware attacks, marking an early example of AI-driven malware development in real-world operations....