Threat Research

The Shadow Campaigns reveal a highly sophisticated, state-aligned cyberespionage group tracked as TGR-STA-1030, assessed to operate out of Asia and responsible for extensive compromises of government and critical infrastructure organizations worldwide....

Labz identified Marco Stealer in June 2025 as an information stealer targeting browser data, crypto wallets, and sensitive local and cloud files. It profiles infected systems by collecting hardware IDs, OS versions, IP addresses, and geolocation details. The malware uses named pipes to coordinate communication between its internal components....

APT28, a Russian state-sponsored threat group also known as Fancy Bear or UAC-0001, is conducting a sophisticated espionage campaign against European military and government entities. The operation primarily targets maritime and transportation organizations in Poland, Slovenia, Turkey, Greece, the UAE, and Ukraine....

Rublevka Team is a large-scale, affiliate-driven crypto-theft operation active since 2023 that has generated over $10 million by luring victims with fake promotions or airdrops and tricking them into signing wallet-draining transactions....

The Notepad++ supply chain attack exploited a compromised update infrastructure to deliver malicious updates through multiple, constantly rotating execution chains, C2 servers, and payloads....

ClickFix-based campaigns have employed a rotating set of commands for clipboard-injected content. In late December 2025, the KongTuke campaign incorporated DNS TXT records within its ClickFix text. These campaigns regularly shift between ClickFix techniques, including the finger protocol and mshta....

ShadowHS is a stealth-focused, fileless Linux intrusion framework derived from the original hackshell utility and designed for long-term, interactive operator control. It executes entirely in memory using a highly obfuscated loader, leaving no disk artifacts while prioritizing host fingerprinting, defensive evasion, and operator safety before enabling higher-risk actions....

In January 2026, Uncovered an in-the-wild campaign dubbed Operation Neusploit targeting Central and Eastern Europe. The attackers used malicious Microsoft RTF files to exploit CVE-2026-21509 and deploy backdoors via a multi-stage infection chain....

The team observed increased threat activity matching tactics linked to previous ShinyHunters extortion campaigns. These operations rely heavily on advanced voice phishing (vishing) techniques. Attackers use victim-branded credential harvesting sites to capture SSO credentials and MFA codes. With initial access gained, they pivot into corporate cloud environments....

A phishing campaign is leveraging SEO poisoning to push fake traffic ticket search portals to the top of search engine results. The fraudulent sites impersonate the Government of Canada and multiple provincial agencies to lure victims into searching for and paying supposed outstanding traffic violations....

UAT-8099 is an active threat actor targeting vulnerable Internet Information Services (IIS) servers across Asia, with a strong focus on Thailand and Vietnam from late 2025 to early 2026. The campaign shows significant overlap with the WEBJACK operation, sharing malware hashes, C2 infrastructure, and victimology....

TA584 stands out in the cybercrime landscape, highlighting the limits of static detection against rapidly evolving threat actors. It operates as a major initial access broker, targeting organizations worldwide. In the second half of 2025, the group significantly modified its attack chains....

Labs identified a web shell dubbed “EncystPHP” with advanced capabilities such as remote command execution, persistence, and web shell deployment. The attacks began in early December last year and spread through exploitation of the FreePBX vulnerability CVE-2025-64328. The activity is linked to the hacker group INJ3CTOR3, first observed in 2020 targeting CVE-2019-19006....

Multiple threat actors, including Russia- and China-linked state-sponsored groups as well as financially motivated attackers, are actively exploiting the critical CVE-2025-8088 flaw in WinRAR. The vulnerability, patched in July 2025, allows path traversal to drop malicious files into the Windows Startup folder, enabling persistence and payload delivery....

We uncovered an attack chain that uses SEO poisoning to lure users searching for legitimate software. Threat actors abuse GitHub by hosting malicious ZIP files in fake repositories. These archives impersonate real applications and include a harmful batch (.bat) file....