Threat Research

A newly identified set of China-aligned campaigns is targeting government entities and critical infrastructure across South, East, and Southeast Asia, plus one NATO member state. This activity is being tracked as SHADOW-EARTH-053....

The increasing reliance on AI has led to a surge in AI-driven tools. However, these platforms can also be exploited for malicious purposes, as demonstrated in the case of Kuse.ai. While Kuse is generally regarded as a reliable workplace solution, threat actors continuously develop new social engineering tactics....

We identified phishing emails falsely claiming mailbox storage limits are exceeded. They include shortened links that redirect to fake “Cloud” storage pages. The messages use urgent language like “Cloud storage is full” and “Permanent data loss warning.” Users are pressured through multiple redirects to pages mimicking real cloud dashboards....

In March 2026, we identified over twenty phishing apps on the Apple App Store posing as well-known crypto wallets. After being opened, these apps redirect users to web pages that mimic the App Store and deliver tampered versions of legitimate wallet applications. These malicious apps are deliberately built to capture recovery phrases and private keys....

The Xinference PyPI supply chain attack involved malicious package versions (2.6.0–2.6.2) that executed hidden, obfuscated code when imported. The payload used techniques like base64 encoding to evade detection and silently run in the background....

Kali365 is a newly emerged phishing-as-a-service (PhaaS) kit that abuses OAuth device code registration flows to conduct large-scale credential phishing campaigns. Distributed through Telegram, the platform offers advanced capabilities including mailbox scanning, phishing page generation, and AI-powered chatbot assistance for creating convincing lures....

The npm ecosystem hit a critical turning point in September 2025. The Shai-Hulud worm, a self-replicating malware, automated the spread of compromised packages. This marked the shift from minor disruptions to serious, high-impact threats. Since then, supply chain attacks have rapidly increased in frequency and sophistication....

DinDoor, a malware variant linked to the Tsundere botnet and associated with the Iranian APT group Seedworm(MuddyWater), leverages the Deno runtime to execute obfuscated JavaScript for command-and-control communication and victim fingerprinting. Delivered via MSI installers, it exploits gaps in monitoring for less commonly tracked runtimes....

UNC6692 conducted a multi-stage intrusion campaign using persistent social engineering, impersonating IT helpdesk staff via Microsoft Teams to trick victims into installing a fake fix for email issues. The attack delivered AutoHotKey-based loaders that executed scripts and deployed a malicious browser extension (SNOWBELT) for persistence and control....

On March 12, 2026, ThreatLabz identified a malicious ZIP archive that used military-themed documents as bait to target Chinese-speaking users. The operation relied on a tampered SumatraPDF executable to deliver an AdaptixC2 Beacon, which eventually led to the installation of Visual Studio Code on compromised systems....

A new variant of the LOTUSLITE backdoor, attributed with moderate confidence to Mustang Panda, is targeting India’s banking sector using DLL sideloading with legitimate Microsoft-signed executables. The malware communicates with a dynamic DNS-based C2 over HTTPS and enables remote shell access, file operations, and session control, indicating espionage-driven objectives....

The attack starts with SEO poisoning, luring users searching for YubiKey Manager into downloading a malicious ISO file. It then executes a complex chain using DLL sideloading and PowerShell to evade defenses by adding Windows Defender exclusions. An obfuscated AutoIt script disguised as Health.exe decrypts and decompresses the Lumma Stealer payload....

Void Dokkaebi (Famous Chollima) has advanced from targeted social engineering into a self-spreading supply chain threat. Compromised developer repositories act as infection hubs, propagating malware across the developer ecosystem like a worm. It exploits trusted workflows using malicious VS Code tasks and injected code that runs during normal development....

Threat actors are increasingly abusing the open-source virtualization tool QEMU as a Living-off-the-Land (LOLBins) technique to conceal malicious activity within virtual machines, effectively bypassing endpoint security and reducing forensic visibility on host systems....

The team tracked a cargo theft threat actor’s post-compromise activity for over a month within a decoy environment run by Deception.pro. The attacker used multiple remote access tools to maintain persistence, including a previously unknown signing-as-a-service capability....