Threat Research

GoBruteforcer is a Linux-based botnet that converts compromised servers into distributed scanners and password brute-force nodes targeting internet-exposed services such as phpMyAdmin, MySQL, PostgreSQL, and FTP....

CrazyHunter ransomware has rapidly emerged as a serious and evolving threat, underscoring the growing sophistication of modern cybercriminal operations. We have been actively monitoring this ransomware since its first appearance and have observed its swift development and increasing adoption....

PHALT#BLYX is a multi-stage malware campaign targeting the hospitality sector that relies on click-fix social engineering, fake CAPTCHAs, and fake BSOD pages delivered via Booking.com–themed phishing lures....

Arkanix Stealer is an actively developed credential-stealing malware promoted mainly on Discord, where its operators advertise frequent updates and new features. Originally written in Python, the malware has evolved to include a C++ “Premium” version with expanded theft capabilities such as VPN and Steam accounts, screenshots, and Wi-Fi credentials....

Tangerine Turkey utilizes VBScript-based worms that propagate laterally through removable media such as USB drives. The group relies on living-off-the-land binaries (LOLBins), including wscript.exe and printui.exe, to execute payloads and maintain persistence. To evade detection, they alter registry settings and disguise malicious executables as legitimate system files....

This article presents a technical analysis of the VVS stealer (also known as VVS $tealer), focusing on its obfuscation and evasion techniques. Written in Python, the malware targets Discord users by exfiltrating credentials and authentication tokens. VVS stealer was actively developed and advertised for sale on Telegram as early as April 2025....

Since December 2025, multiple incidents in Japan have been linked to the exploitation of React2Shell (CVE-2025-55182), a remote code execution flaw affecting React and Next.js applications. While most attacks deployed coin miners, investigators identified a previously undocumented malware named ZnDoor....

UNG0801 is a persistent threat cluster originating from Western Asia that targets enterprise organizations in Israel using Hebrew-language phishing lures disguised as routine internal communications. The campaigns heavily rely on antivirus icon spoofing, abusing trusted brands such as SentinelOne and Check Point to gain user trust....

Identifies suspicious child processes launched by Node.js server processes on Windows, which may signal exploitation of vulnerabilities such as CVE-2025-55182 (React2Shell)....

A sophisticated phishing campaign targeting Indian entities has been attributed to the Chinese Silver Fox APT. The attackers used highly convincing Income Tax–themed lures to deliver malware through a complex kill chain involving DLL hijacking and the modular Valley RAT, enabling long-term persistence....

UAC-0184, also known as Hive0156, is a Russia-aligned threat actor that conducts cyber operations against Ukraine using commercially available malware and lure documents. The group primarily targets Ukrainian military personnel by distributing weaponized LNK files or PowerShell scripts that result in Remcos malware infections....

Over 90 days of honeypot monitoring, industrial routers emerged as the most targeted OT assets, accounting for 67% of attacks, mainly through SSH/Telnet brute force and HTTP-based exploitation....

Identifies the execution of curl.exe using the file:// protocol to access and read local files....

Researchers identified multiple attack campaigns abusing a GeoServer remote code execution flaw (CVE-2024-36401). The attackers indiscriminately scan the internet for exposed and vulnerable GeoServer instances. After gaining access, they install XMRig-based cryptocurrency miners on compromised servers....

The Evasive Panda APT group conducted highly targeted campaigns between November 2022 and November 2024, abusing poisoned DNS responses to deliver its MgBot malware. The attackers leveraged adversary-in-the-middle (AitM) techniques to fetch encrypted malware components from attacker-controlled servers based on victim-specific DNS requests....