Threat Research

In mid-August 2025, researchers observed the misuse of the legitimate Velociraptor DFIR tool as part of suspected ransomware precursor activity. Further investigation across customer environments indicated with high confidence an intent to deploy Warlock ransomware. Warlock is operated by the cybercrime group tracked as GOLD SALEM....

BlackForce is an actively evolving phishing kit first observed in August 2025, designed to conduct advanced Man-in-the-Browser (MitB) attacks that enable real-time bypass of multi-factor authentication (MFA). It has been used to impersonate over 11 major brands, including Disney, Netflix, DHL, and UPS....

On December 3, 2025, a critical unauthenticated RCE vulnerability in React Server Components, tracked as CVE-2025-55182 (“React2Shell”), was publicly disclosed. Shortly thereafter, the team observed widespread exploitation by diverse threat actors, from cybercriminals to suspected espionage groups....

Ashen Lepus (aka WIRTE), an APT linked to Hamas-affiliated interests, has conducted a long-running espionage campaign against governmental and diplomatic organizations across the Middle East....

During October and November 2025, a series of campaigns targeting the energy, defense, pharmaceutical, and cybersecurity sectors displayed traits consistent with earlier operations linked to Void Rabisu (also known as ROMCOM, Tropical Scorpius, or Storm-0978)....

A financially motivated threat actor deploying DeadLock ransomware has adopted new tactics, including a previously unknown BYOVD loader that exploits Baidu Antivirus driver vulnerability CVE-2024-51324 to disable EDR protections....

In June 2025, we identified a new ransomware family called 01flip targeting a small set of victims in the Asia-Pacific region. Written entirely in Rust, it leverages cross-compilation to support multiple platforms. The attackers appear to be financially motivated and likely executed the operation manually....

We identified a new social-engineering tactic employed by the Belarusian threat actor White Lynx (also known as Ghostwriter, Storm-0257, UNC1151). The method relies on a malicious macro embedded in a Word document designed to evade detection and analysis. Once macros are enabled, the user is presented with a fake CAPTCHA window prompting them to validate a six-character string....

A critical React Server Components vulnerability, CVE-2025-55182, allows unauthenticated remote code execution and has already been exploited in the wild. Attackers have conducted automated scanning, reconnaissance, credential theft, and deployed malicious scripts, droppers, and reverse shells, including activity linked to a PRC-associated access broker....

ClickFix is a social-engineering technique that tricks users into pasting malicious scripts—often injected into the clipboard through pastejacking—into terminals or run windows, leading to system compromise. Since September 2025, detections have surged to over 200 compromised sites daily, driven by lures that mimic Google’s “Aw Snap!” error or fake browser update pages....

UDPGangster is a UDP-based backdoor linked to the MuddyWater threat group, active in cyber-espionage across the Middle East. It enables remote control of infected systems, supporting command execution, file exfiltration, and payload delivery over stealthy UDP channels. Recent campaigns have targeted users in Turkey, Israel, and Azerbaijan....

WARP PANDA is a newly identified, highly advanced China-nexus threat actor targeting VMware vCenter and ESXi environments across U.S. organizations in 2025. The group demonstrates strong technical skill, exceptional OPSEC, and deep expertise in cloud and virtualized systems....

BRICKSTORM is an advanced backdoor targeting VMware vSphere, including vCenter servers and ESXi, as well as Windows systems. The actors specifically focused on compromising VMware vSphere platforms. After gaining access, they used the vCenter console to steal VM snapshots for credential harvesting and to create hidden rogue VMs....

CVE-2025-55182 is a critical prototype-pollution vulnerability affecting React Server Components (RSC) and Next.js Server Actions. Attackers can inject special object-manipulation properties—such as __proto__ or constructor—into RSC headers, parameters, or JSON request bodies....

Despite U.S. sanctions, Intellexa continues selling its Predator spyware and remains one of the most aggressive exploit operators, rapidly developing or acquiring mobile zero-days....