Threat Research

Throughout 2025, Chinese-speaking threat group CL-STA-1062 targeted Southeast Asian government entities and critical energy infrastructure. The attackers have been active since at least March 2022, demonstrating a long-term regional focus. High-confidence assessments link this group to UAT-7237, which attacked Taiwanese web hosting infrastructure in mid-2025....

Russia-aligned APT group Gamaredon maintained an aggressive cyberespionage campaign throughout 2025, targeting Ukrainian government and military organizations with large-scale spearphishing attacks and new PowerShell-based malware....

Software supply-chain attacks have evolved from isolated package compromises into sophisticated campaigns targeting developer ecosystems through credential theft, repository compromise, and CI/CD abuse. The Shai-Hulud activity cluster and its evolution into Mini Shai-Hulud demonstrate this shift, culminating in the modular Miasma framework for multi-ecosystem propagation....

In early 2026, the team uncovered a threat actor targeting a service provider's SD-WAN infrastructure. After securing initial access, the actor exploited a zero-day vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN—specifically leveraging an unfiltered file upload feature to escalate privileges from an administrative account to root level....

Researchers discovered a previously undocumented malware loader named SharkLoader while investigating activity targeting a diplomatic organization in Indonesia....

A threat actor associated with Payouts King ransomware is using Edgecution, a malicious Microsoft Edge extension, to gain initial access through social engineering. The malware abuses the Chrome Native Messaging protocol to bypass browser sandbox restrictions, enabling a Python-based backdoor to execute arbitrary code, access the file system, and collect system information....

Researchers identified multiple malicious skills on OpenClaw’s ClawHub marketplace that abused the AI agent ecosystem to deliver macOS infostealers, evade security scanning, and conduct novel agentic attacks such as runtime affiliate injection and agentic front-running for financial gain....

We detected a cryptocurrency-mining campaign exploiting CVE-2026-33017, an unauthenticated RCE vulnerability in Langflow. The attack marks a shift in delivery vectors, specifically targeting exposed AI application endpoints. The malware disables host-level security controls, deploys a custom miner, and establishes persistence....

Social engineering–driven malware campaign that impersonates the Indian Income Tax Department to lure victims into downloading a malicious archive from a fraudulent website....

A single ClickFix prompt on an unmonitored endpoint granted attackers unchallenged initial access. The breach quickly expanded to 11 hosts due to critical gaps in endpoint security coverage. The custom "Potemkin" loader used a deterministic DGA and custom cipher to deploy RMMProject. RMMProject RAT bypassed Chrome's App-Bound Encryption and embedded a LuaJIT scripting engine....

Threat actors are distributing a Rust-based cryptocurrency clipboard hijacker through a coordinated ecosystem of phishing websites, fake GitHub and SourceForge projects, AI-generated YouTube content, and manipulated reputation signals....

This campaign leverages social engineering through compromised WhatsApp accounts to distribute malicious VBScript (VBS) attachments, which ultimately deploy malware in the form of a preconfigured ManageEngine Endpoint Central agent on victim systems....

Discovered by Trusteer in May 2026, UnregStealer is a bespoke, human-operated trojan campaign targeting financial institutions in Latin America (LATAM). Unlike typical LATAM banking trojans that use automated infection chains and compiled malware, UnregStealer relies on a live operator who monitors victim sessions in real time and deploys payloads manually....

FortiBleed is a large-scale credential compromise campaign targeting internet-facing Fortinet FortiGate firewalls and SSL VPN gateways using stolen and cracked credentials rather than a software vulnerability....

The attack begins with a fake CAPTCHA page that socially engineers macOS users into executing a malicious Terminal command, which downloads and launches a hidden DMG-based malware installer from attacker-controlled infrastructure....