Threat Research

In March and April 2026, threat actor TA4922 significantly increased its operational tempo. The team identified a series of campaigns demonstrating a major evolution in the actor's malware tooling. The attacker relied primarily on human resources and business-themed lures to target victims....

A large-scale software supply chain campaign dubbed Megalodon leveraged malicious GitHub Actions workflow modifications to steal sensitive credentials from affected repositories. Analysis revealed credential harvesting capabilities targeting GitHub tokens, cloud credentials, API keys, database secrets, and private keys....

WeedHack is a large-scale Malware-as-a-Service (MaaS) operation that targets Minecraft players through trojanized mods, clients, and cheats distributed via SEO poisoning, YouTube videos, and malicious websites....

The threat actor gains initial access through vishing attacks, impersonating internal IT staff to trick victims into entering their credentials and MFA codes on phishing pages. Once access is obtained, the actor quickly identifies and exfiltrates sensitive data from cloud services such as SharePoint and OneDrive, a tactic commonly observed among Com-affiliated groups....

Argamal is a newly identified malware family distributed through infected hentai games hosted on file-sharing platforms. Once a victim launches the game, a malicious implant is installed and later downloads additional Trojan payloads, enabling full system compromise and remote control by attackers....

In March, Labs identified a new Gafgyt botnet variant called C0XMO that spreads by exploiting CVE-2021-27137. Unlike earlier variants, C0XMO uses a separate Python script for lateral movement, improving propagation across different devices and architectures....

This research analyzes a ClickFix campaign leveraging the spoofed licensing-themed website canndelta.com to deliver the PureLogs stealer through malicious PowerShell commands. The attack uses Donut shellcode, fileless execution, RWX memory allocation, and in-memory .NET assembly loading to evade detection....

Hackers are increasingly abusing trusted platforms like YouTube and search engines to distribute malware. A newly uncovered campaign called "WeedHack" specifically targets Minecraft's massive player base. Minecraft's open ecosystem of mods and custom clients makes it a prime target for cybercriminals....

Operation FlutterBridge is a large-scale malvertising campaign targeting macOS users through malicious Google advertisements that distribute FlutterShell, a Flutter-based malware with both adware and backdoor capabilities....

A recent threat assessment has identified a highly advanced banking Trojan delivered through a malicious browser extension, specifically targeting Australian banking customers. Unlike conventional malware that disrupts systems or causes noticeable damage, this threat is designed to remain undetected....

Gamaredon, a Russian APT (Advanced Persistent Threat) group operated by the FSB, continues to conduct long-term cyberespionage campaigns targeting Ukrainian government, military, and critical infrastructure organizations....

TUXBOT v3 Evolution, also known as Akiru, is a previously undocumented modular IoT botnet framework designed for large-scale device compromise and DDoS-for-hire operations. The framework targets multiple IoT device families through vulnerability exploitation and extensive Telnet brute-forcing, supporting numerous hardware architectures and encrypted C2 communications....

In late April 2026, we were retained for incident response after a client detected unauthorized cryptocurrency miners on user workstations. Our investigation revealed the malware was delivered through illicit movie and TV streaming platforms using a deceptive video player plugin update....

First VPN Service was a criminally oriented VPN infrastructure that operated for over a decade and was widely used by ransomware groups and other cybercriminals to conduct network reconnaissance, intrusions, scanning, botnet activity, denial-of-service attacks, and scams....

In late April 2026, we were retained for incident response after a client detected unauthorized cryptocurrency miners on user workstations. Our investigation revealed the malware was delivered through illicit movie and TV streaming platforms using a deceptive video player plugin update....