Threat Research

In March 2026, we identified over twenty phishing apps on the Apple App Store posing as well-known crypto wallets. After being opened, these apps redirect users to web pages that mimic the App Store and deliver tampered versions of legitimate wallet applications. These malicious apps are deliberately built to capture recovery phrases and private keys....

The Xinference PyPI supply chain attack involved malicious package versions (2.6.0–2.6.2) that executed hidden, obfuscated code when imported. The payload used techniques like base64 encoding to evade detection and silently run in the background....

Kali365 is a newly emerged phishing-as-a-service (PhaaS) kit that abuses OAuth device code registration flows to conduct large-scale credential phishing campaigns. Distributed through Telegram, the platform offers advanced capabilities including mailbox scanning, phishing page generation, and AI-powered chatbot assistance for creating convincing lures....

The npm ecosystem hit a critical turning point in September 2025. The Shai-Hulud worm, a self-replicating malware, automated the spread of compromised packages. This marked the shift from minor disruptions to serious, high-impact threats. Since then, supply chain attacks have rapidly increased in frequency and sophistication....

DinDoor, a malware variant linked to the Tsundere botnet and associated with the Iranian APT group Seedworm(MuddyWater), leverages the Deno runtime to execute obfuscated JavaScript for command-and-control communication and victim fingerprinting. Delivered via MSI installers, it exploits gaps in monitoring for less commonly tracked runtimes....

UNC6692 conducted a multi-stage intrusion campaign using persistent social engineering, impersonating IT helpdesk staff via Microsoft Teams to trick victims into installing a fake fix for email issues. The attack delivered AutoHotKey-based loaders that executed scripts and deployed a malicious browser extension (SNOWBELT) for persistence and control....

On March 12, 2026, ThreatLabz identified a malicious ZIP archive that used military-themed documents as bait to target Chinese-speaking users. The operation relied on a tampered SumatraPDF executable to deliver an AdaptixC2 Beacon, which eventually led to the installation of Visual Studio Code on compromised systems....

A new variant of the LOTUSLITE backdoor, attributed with moderate confidence to Mustang Panda, is targeting India’s banking sector using DLL sideloading with legitimate Microsoft-signed executables. The malware communicates with a dynamic DNS-based C2 over HTTPS and enables remote shell access, file operations, and session control, indicating espionage-driven objectives....

The attack starts with SEO poisoning, luring users searching for YubiKey Manager into downloading a malicious ISO file. It then executes a complex chain using DLL sideloading and PowerShell to evade defenses by adding Windows Defender exclusions. An obfuscated AutoIt script disguised as Health.exe decrypts and decompresses the Lumma Stealer payload....

Void Dokkaebi (Famous Chollima) has advanced from targeted social engineering into a self-spreading supply chain threat. Compromised developer repositories act as infection hubs, propagating malware across the developer ecosystem like a worm. It exploits trusted workflows using malicious VS Code tasks and injected code that runs during normal development....

Threat actors are increasingly abusing the open-source virtualization tool QEMU as a Living-off-the-Land (LOLBins) technique to conceal malicious activity within virtual machines, effectively bypassing endpoint security and reducing forensic visibility on host systems....

The team tracked a cargo theft threat actor’s post-compromise activity for over a month within a decoy environment run by Deception.pro. The attacker used multiple remote access tools to maintain persistence, including a previously unknown signing-as-a-service capability....

CrySome RAT represents a modular, userland-focused post-exploitation framework emphasizing persistence, evasion, and operator control(Keylogger, Credential harvesting, RDP, HVNC). While it does not exhibit kernel-level sophistication, its combination of defense evasion techniques and surveillance capabilities makes it effective against poorly monitored environments....

PureRAT is a sophisticated remote access trojan that uses a multi-stage, fileless infection chain initiated by a malicious LNK file and PowerShell commands. It employs steganography to hide payloads within PNG images, along with techniques like UAC bypass, process hollowing, and anti-VM checks to evade detection....

IoT devices are increasingly targeted for large-scale attacks due to widespread use, poor patching, and weak security. Threat actors exploit known vulnerabilities to gain access and deploy persistent malware. These infections can spread across devices and enable DDoS attacks. A recent campaign abused CVE-2024-3721 in TBK DVR devices to deliver the Nexcorium Mirai variant....