Threat Research

Identifies cases where the ArcGIS Server process (ArcSOC.exe), responsible for hosting REST services, creates files with suspicious types that may indicate executables, scripts, or other anomalous files....

A renewed RTO/e-Challan phishing wave is actively targeting Indian vehicle owners through SMS-based lures that link to fake, browser-based portals mimicking official government services....

Amadey is a malware loader active since 2018, commonly used to deploy second-stage payloads and infostealers. Historically, it has distributed payloads via GitHub repositories. Recent activity reveals a new campaign abusing a compromised, self-hosted GitLab instance to deliver the StealC infostealer....

SantaStealer is a newly emerging malware-as-a-service infostealer promoted on Telegram and underground forums, with a planned release before the end of 2025. Recently rebranded from BluelineStealer, it is designed to steal credentials, documents, wallets, and application data while operating entirely in memory to evade detection....

Identifies script interpreters, command-line utilities, and other potentially suspicious child processes spawned by ArcSOC.exe. ArcSOC.exe is the process responsible for hosting ArcGIS Server REST services....

LongNosedGoblin is a newly identified China-aligned APT group focused on cyberespionage against governmental institutions in Southeast Asia and Japan. Active since at least September 2023, the group leverages Windows Group Policy to deploy malware and move laterally within compromised networks, while using cloud services like OneDrive and Google Drive for command-and-control....

This campaign has been active since at least September 2025 and leverages multiple web hosting platforms. Instead of harvesting usernames and passwords, the phishing pages employ an alternative approach. An embedded video guides victims to extract authentication tokens from their browser cookies and paste them into a pop-up form under the guise of verification....

BlindEagle launched a spear-phishing campaign targeting a Colombian government agency under the Ministry of Commerce, Industry and Tourism (MCIT), using emails sent from a compromised internal account to bypass security controls....

RansomHouse is a ransomware-as-a-service operation run by the group known as Jolly Scorpius. Recent malware samples show a major upgrade in the group’s encryption capabilities. This analysis examines the encryption changes and their implications for defenders. Jolly Scorpius employs a double extortion model, combining data theft with file encryption....

UAT-9686, a suspected Chinese-nexus APT actor, is actively targeting Cisco Secure Email Gateway (AsyncOS/ESA) and Cisco Secure Email and Web Manager (SMA). The group exploits non-standard appliance configurations to deploy a custom persistence tool called AquaShell, along with reverse tunneling and log-cleaning utilities to maintain stealthy, long-term access....

Detects instances where a web browser process opens an HTML file from a user’s Downloads folder. This behavior may be indicative of phishing activity, in which threat actors distribute HTML attachments to users. Opening such attachments can result in the execution of malicious scripts or the delivery of malware....

In mid-August 2025, researchers observed the misuse of the legitimate Velociraptor DFIR tool as part of suspected ransomware precursor activity. Further investigation across customer environments indicated with high confidence an intent to deploy Warlock ransomware. Warlock is operated by the cybercrime group tracked as GOLD SALEM....

BlackForce is an actively evolving phishing kit first observed in August 2025, designed to conduct advanced Man-in-the-Browser (MitB) attacks that enable real-time bypass of multi-factor authentication (MFA). It has been used to impersonate over 11 major brands, including Disney, Netflix, DHL, and UPS....

On December 3, 2025, a critical unauthenticated RCE vulnerability in React Server Components, tracked as CVE-2025-55182 (“React2Shell”), was publicly disclosed. Shortly thereafter, the team observed widespread exploitation by diverse threat actors, from cybercriminals to suspected espionage groups....

Ashen Lepus (aka WIRTE), an APT linked to Hamas-affiliated interests, has conducted a long-running espionage campaign against governmental and diplomatic organizations across the Middle East....