Threat Research

JanelaRAT is a malware family named after the Portuguese word “janela,” meaning “window.” It targets financial and cryptocurrency data from selected banks and institutions in Latin America. The malware is a modified version of BX RAT and has been active since June 2023....

The supply chain compromise involving LiteLLM demonstrates how attackers, potentially leveraging social engineering tactics, injected malicious code that enabled unauthorized data access and potential command execution. It highlights how downstream users, including organizations like Mercor, were impacted due to implicit trust in the compromised dependency....

A targeted social engineering campaign tracked as REF6598 abuses the Obsidian note-taking app to gain initial access, targeting individuals in the financial and cryptocurrency sectors via LinkedIn and Telegram. Victims are tricked into opening a shared vault with malicious plugins that silently execute code, leading to a multi-stage, fileless attack chain....

A threat campaign has published over 200 malicious packages to NPM, using names like “huggingface-cli,” “webflow,” and “codeium.” These packages pose as a new AI coding agent called “Stardrop,” which gives the campaign its name. Detection began on April 9, with an average of 40+ new packages appearing daily....

This malware campaign attackers distribute an infostealer by impersonating a legitimate OpenClaw AI tool. It leverages a ClickFix social engineering technique, tricking users into manually executing malicious commands, thereby bypassing browser security protections....

A watering hole attack compromised the official CPUID website, replacing legitimate download links for popular tools like CPU-Z and HWMonitor with malicious versions....

The Graphalgo campaign has resurfaced with more sophisticated tactics, using fake companies and GitHub organizations to create legitimacy for fraudulent job offers targeting developers. Victims are lured through coding tasks that include malicious dependencies from platforms like npm or PyPI, which execute during setup to deliver a remote access trojan (RAT)....

Detects the Windows execution chain and process tree tied to the Axios NPM supply chain attack. On March 30, 2026, malicious versions (1.14.1 and 0.30.4) were published to npm. These versions injected a dependency (plain-crypto-js@4.2.1) that ran a postinstall RAT dropper....

A malware campaign used a fake Adobe Acrobat Reader download to trick users into installing the legitimate ScreenConnect remote access tool for malicious purposes. The attack chain relies on heavy obfuscation and fileless techniques, including VBScript loaders, .NET reflection, and in-memory execution, to evade detection....

BlankGrabber is a Python-based information stealer designed to extract sensitive data such as browser credentials, session tokens, and system details. Discovered in 2023 by security researchers, it is known for its modular design and fast evolution to evade detection. The malware is commonly spread through social engineering and phishing campaigns....

Active phishing kit impersonates a national postal service e-commerce platform, mimicking four storefronts (unifone, masterfone, newphone, dogabilisim). We call this kit “Montana Empire,” based on a phrase found in its admin panel....

A threat cluster tracked as UAT-10362 APT is conducting spear-phishing campaigns targeting Taiwanese NGOs and academic institutions, delivering a newly identified malware family called LucidRook. The malware uses a DLL-based stager embedding Lua and Rust components to execute staged payloads, with region-specific checks to target Traditional Chinese environments....

SURXRAT abuses Android accessibility services to perform malicious actions such as keylogging, screen capture, and OTP interception. By using legitimate cloud services, the malware blends in with normal traffic, making detection more difficult. SURXRAT can remotely execute commands, exfiltrate sensitive data, and maintain persistent access to infected devices....

Masjesu is a commercially operated IoT botnet active since 2023, offering DDoS-for-hire services through Telegram. It targets a wide range of routers and embedded devices across multiple architectures, using vulnerability exploitation and scanning for propagation....

Iran-linked advanced persistent threat (APT) actors are exploiting internet-facing operational technology (OT) devices, including Rockwell/Allen-Bradley PLCs. Their actions have disrupted PLC operations across multiple U.S. critical infrastructure sectors. Attacks involve tampering with project files and altering data on HMI and SCADA systems....