Threat Research

This campaign demonstrates how ClickFix-style social engineering continues to evolve into an effective initial access technique for delivering sophisticated malware frameworks....

UAT-8302 is a sophisticated China-linked APT group targeting South American government entities since late 2024 and southeastern European agencies in 2025. After gaining access, the group deploys several custom malware families previously associated with other China-nexus threat actors....

In March 2026, ThreatLabz uncovered an attack chain targeting AI agentic workflows through a malicious OpenClaw framework skill. The attackers used manipulated installation instructions to trick autonomous AI agents into downloading and executing a remote MSI package....

The InstallFix campaign is a social engineering attack targeting users searching for Anthropic’s Claude AI through fake installation pages promoted via Google Ads. It uses convincing, OS-specific instructions to trick users into executing malicious PowerShell commands....

A newly identified set of China-aligned campaigns is targeting government entities and critical infrastructure across South, East, and Southeast Asia, plus one NATO member state. This activity is being tracked as SHADOW-EARTH-053....

The increasing reliance on AI has led to a surge in AI-driven tools. However, these platforms can also be exploited for malicious purposes, as demonstrated in the case of Kuse.ai. While Kuse is generally regarded as a reliable workplace solution, threat actors continuously develop new social engineering tactics....

We identified phishing emails falsely claiming mailbox storage limits are exceeded. They include shortened links that redirect to fake “Cloud” storage pages. The messages use urgent language like “Cloud storage is full” and “Permanent data loss warning.” Users are pressured through multiple redirects to pages mimicking real cloud dashboards....

In March 2026, we identified over twenty phishing apps on the Apple App Store posing as well-known crypto wallets. After being opened, these apps redirect users to web pages that mimic the App Store and deliver tampered versions of legitimate wallet applications. These malicious apps are deliberately built to capture recovery phrases and private keys....

The Xinference PyPI supply chain attack involved malicious package versions (2.6.0–2.6.2) that executed hidden, obfuscated code when imported. The payload used techniques like base64 encoding to evade detection and silently run in the background....

Kali365 is a newly emerged phishing-as-a-service (PhaaS) kit that abuses OAuth device code registration flows to conduct large-scale credential phishing campaigns. Distributed through Telegram, the platform offers advanced capabilities including mailbox scanning, phishing page generation, and AI-powered chatbot assistance for creating convincing lures....

The npm ecosystem hit a critical turning point in September 2025. The Shai-Hulud worm, a self-replicating malware, automated the spread of compromised packages. This marked the shift from minor disruptions to serious, high-impact threats. Since then, supply chain attacks have rapidly increased in frequency and sophistication....

DinDoor, a malware variant linked to the Tsundere botnet and associated with the Iranian APT group Seedworm(MuddyWater), leverages the Deno runtime to execute obfuscated JavaScript for command-and-control communication and victim fingerprinting. Delivered via MSI installers, it exploits gaps in monitoring for less commonly tracked runtimes....

UNC6692 conducted a multi-stage intrusion campaign using persistent social engineering, impersonating IT helpdesk staff via Microsoft Teams to trick victims into installing a fake fix for email issues. The attack delivered AutoHotKey-based loaders that executed scripts and deployed a malicious browser extension (SNOWBELT) for persistence and control....

On March 12, 2026, ThreatLabz identified a malicious ZIP archive that used military-themed documents as bait to target Chinese-speaking users. The operation relied on a tampered SumatraPDF executable to deliver an AdaptixC2 Beacon, which eventually led to the installation of Visual Studio Code on compromised systems....

A new variant of the LOTUSLITE backdoor, attributed with moderate confidence to Mustang Panda, is targeting India’s banking sector using DLL sideloading with legitimate Microsoft-signed executables. The malware communicates with a dynamic DNS-based C2 over HTTPS and enables remote shell access, file operations, and session control, indicating espionage-driven objectives....