Threat Research

    Between 2024 and 2026, suspected China- and India-nexus threat actors targeted Pakistani law enforcement agencies. Attackers deployed malware like PlugX, ShadowPad, Cobalt Strike, and Remcos against Balochistan Police assets. Compromised systems included servers managing biometric data, national identity-linked registrations, and criminal records....
    GodDamn is the latest rebranded version of the Beast (formerly Monster) ransomware family, developed by the threat actor Hyadina. The attackers use AnyDesk for remote access, credential-stealing toolkits, and the Microsoft-signed PoisonX kernel driver to disable endpoint security through a BYOVD-style defense evasion technique before deploying the ransomware....
    Threat Research Team identified a targeted spear-phishing campaign using a fake aerospace-related business invoice delivered via a spoofed domain to deploy malware that silently configures AnyDesk for unattended remote access and persistence....
    Human-Driven Fraud: The Mexican banking operation REF6045 relies on active human operators to monitor infected devices. Malicious Entry Point: Victims are compromised via fake CAPTCHA pages that trick them into executing a harmful command. PowerShell Backbone: The initial command installs SCMBANKER, a PowerShell toolkit using components from late 2025....
    Threat actors are abusing fake Google and Cloudflare verification pages in evolving ClickFix campaigns to socially engineer users into executing malicious commands on their own systems. These campaigns distribute multiple malware families, including HijackLoader, StealC, Remus, Amatera Stealer, CastleLoader, NetSupport, and a Rust-based stealer....
    Victims are redirected via malicious advertisements or search results to fake CAPTCHA pages that use social engineering to trick them into copying and executing a malicious Bash command in the macOS Terminal. The downloaded update.sh script establishes persistence by installing a LaunchAgent through osascript and deploys a backdoor that executes at every user login....
    Researcher assesses UAT-7810 as a China-nexus APT that provides infrastructure support to other China-aligned threat actors, including UAT-5918. The group continues to enhance its custom malware ecosystem with LONGLEASH, DOGLEASH(shellcode-executing backdoor), LEASHTEST, and the Java-based JARLEASH backdoor....
    A financially motivated Vidar Stealer MaaS affiliate conducted a large-scale malvertising campaign targeting users in the U.S. and European Union with fake cracked software downloads....
    Since May 2026, a suspected China-aligned threat cluster named UNK_MassTraction has targeted Roundcube mailservers. The campaign specifically targets physics and engineering departments at US and Canadian universities. High-value targets include entities with national security ties or those studying astrophysics and particle physics....
    Millenium RAT v4 is a C++-based Remote Access Trojan (RAT) offered as a Malware-as-a-Service (MaaS) by the developer ShinyEnigma and actively deployed by the Y2K Operators threat cluster....
    Researchers identified a social engineering campaign impersonating the Indian Income Tax Department to deliver the ValleyRat Remote Access Trojan (RAT) through a multi-stage infection chain involving a malicious VHDX, DLL SideLoading, and encrypted in-memory payload execution....
    Salat Stealer is a stealthy, Go-based infostealer designed to compromise systems and extract data. It performs deep reconnaissance, profiling hardware, active processes, and environmental attributes. Moving beyond standard theft, it enables live desktop streaming and webcam/microphone monitoring....
    Researchers identified a large network of pirated sports streaming websites exploiting the popularity of the FIFA World Cup through mirror domains, cloud-hosted infrastructure, and domain rotation techniques to evade takedowns. The campaign also distributes fake Stremio installers (APK/EXE) and VPN-themed lures, exposing users to malware, scams, and affiliate-driven downloads....
    TeamPCP is a financially motivated cybercriminal group responsible for large-scale software supply chain attacks targeting trusted developer and security tools, including Trivy, KICS, LiteLLM, and the Telnyx Python SDK. By injecting malicious code into legitimate packages, the group deployed credential stealers, persistent backdoors, and self-propagating malware....
    Threat Discovery: A new phishing campaign has been uncovered, tied to an APT group dubbed Armored Likho (also known as Eagle Werewolf). Target Sectors: This targeted campaign focuses heavily on government agencies and the electric power sector. Global Footprint: The attacks span Russia, Brazil, and Kazakhstan, establishing the group as a global threat actor....
    Looking for Something?
    Threat Research Categories:
    Tags