Threat Research

We detected active automated scans attempting to exploit CVE-2023-33538 in end-of-life TP-Link routers (TL-WR940N, TL-WR740N, TL-WR841N variants). The payloads involved Mirai-like malware designed to download and execute on vulnerable devices. This activity followed CISA adding the CVE to its Known Exploited Vulnerabilities catalog in June 2025....

BlobPhish is an advanced credential-phishing campaign active since 2024 that generates phishing pages directly within the victim’s browser using in-memory blob objects, bypassing traditional network and file-based detection....

Threat actors are abusing AI workflow automation platforms like n8n to conduct sophisticated phishing campaigns by sending automated emails that deliver malware and fingerprint victim devices. By leveraging trusted services and integrations with tools like Slack, Gmail, and AI models, attackers can bypass traditional security controls and scale their operations....

Users searching for “TestDisk” are redirected via SEO poisoning to a malicious site (testdisk[.]dev). The site uses JavaScript to generate one-time URLs that deliver a fake “PhotoRec” installer. Victims download a ZIP and run testdisk-7.3.exe, which is actually a renamed Microsoft Setup binary....

JanelaRAT is a malware family named after the Portuguese word “janela,” meaning “window.” It targets financial and cryptocurrency data from selected banks and institutions in Latin America. The malware is a modified version of BX RAT and has been active since June 2023....

The supply chain compromise involving LiteLLM demonstrates how attackers, potentially leveraging social engineering tactics, injected malicious code that enabled unauthorized data access and potential command execution. It highlights how downstream users, including organizations like Mercor, were impacted due to implicit trust in the compromised dependency....

A targeted social engineering campaign tracked as REF6598 abuses the Obsidian note-taking app to gain initial access, targeting individuals in the financial and cryptocurrency sectors via LinkedIn and Telegram. Victims are tricked into opening a shared vault with malicious plugins that silently execute code, leading to a multi-stage, fileless attack chain....

A threat campaign has published over 200 malicious packages to NPM, using names like “huggingface-cli,” “webflow,” and “codeium.” These packages pose as a new AI coding agent called “Stardrop,” which gives the campaign its name. Detection began on April 9, with an average of 40+ new packages appearing daily....

This malware campaign attackers distribute an infostealer by impersonating a legitimate OpenClaw AI tool. It leverages a ClickFix social engineering technique, tricking users into manually executing malicious commands, thereby bypassing browser security protections....

A watering hole attack compromised the official CPUID website, replacing legitimate download links for popular tools like CPU-Z and HWMonitor with malicious versions....

The Graphalgo campaign has resurfaced with more sophisticated tactics, using fake companies and GitHub organizations to create legitimacy for fraudulent job offers targeting developers. Victims are lured through coding tasks that include malicious dependencies from platforms like npm or PyPI, which execute during setup to deliver a remote access trojan (RAT)....

Detects the Windows execution chain and process tree tied to the Axios NPM supply chain attack. On March 30, 2026, malicious versions (1.14.1 and 0.30.4) were published to npm. These versions injected a dependency (plain-crypto-js@4.2.1) that ran a postinstall RAT dropper....

A malware campaign used a fake Adobe Acrobat Reader download to trick users into installing the legitimate ScreenConnect remote access tool for malicious purposes. The attack chain relies on heavy obfuscation and fileless techniques, including VBScript loaders, .NET reflection, and in-memory execution, to evade detection....

BlankGrabber is a Python-based information stealer designed to extract sensitive data such as browser credentials, session tokens, and system details. Discovered in 2023 by security researchers, it is known for its modular design and fast evolution to evade detection. The malware is commonly spread through social engineering and phishing campaigns....

Active phishing kit impersonates a national postal service e-commerce platform, mimicking four storefronts (unifone, masterfone, newphone, dogabilisim). We call this kit “Montana Empire,” based on a phrase found in its admin panel....