Threat Research

Threat actors are exploiting growing interest in artificial intelligence by distributing malicious files disguised as AI-related guides and learning materials. The attack uses a complex, multi-stage infection chain with heavily obfuscated scripts and AutoHotkey-based loaders to deploy a .NET RAT and AsyncRAT directly into memory, enabling remote access....

OnionDrop is a sophisticated multi-stage malware loader designed to deliver InfoStealers such as LegionLoader (CurlyGate), CGrabber, and Vidar Stealer at scale....

OP-512 is a newly identified, likely China-linked cyberespionage cluster that targeted a compromised IIS web server to conduct long-term intelligence-gathering operations....

Our investigation of the malicious DurableTask packages revealed a sophisticated multi-stage supply chain attack targeting cloud-native and developer-centric environments....

MLTBackdoor is a newly identified malware family likely associated with ransomware operations and delivered through a multi-stage ClickFix infection chain. The malware provides remote access capabilities such as file upload and download, while also supporting the execution of Beacon Object Files (BOFs) to dynamically extend its functionality....

Mustang Panda campaign that delivers the PlugX RAT through a multi-stage infection chain starting with a malicious LNK file and PowerShell loader. The attack uses DLL sideloading, encrypted shellcode, API hashing, and in-memory execution techniques to evade detection and complicate analysis....

Multiple threat groups, including the Russia-aligned Gamaredon (Earth Dahu) and SHADOW-EARTH-066, continue to exploit CVE-2025-8088, a patched WinRAR path traversal vulnerability, to target Ukrainian organizations....

Between April and May 2026, Threat Research identified a likely North Korean threat actor targeting nearly 100 organizations across finance, cryptocurrency, education, technology, and other sectors. The activity cluster is tracked as UNK_DeadDrop. The phishing campaigns used developer recruitment and code review lures to attract victims....

A critical authentication bypass vulnerability, CVE-2026-50751 (CVSS 9.3), affects Remote Access VPN and Mobile Access deployments that use the deprecated IKEv1 protocol. The flaw allows a remote, unauthenticated attacker to establish a VPN connection without valid credentials by exploiting a weakness in the certificate validation process....

A China-linked cyber-espionage campaign attributed to UNC5221 targeted U.S. law firms and technology organizations. The attackers exploited zero-day vulnerabilities, deployed the BRICKSTORM backdoor, and maintained access for over a year to steal sensitive legal, trade, and national security information....

Operation Dragon Weave is a suspected China-linked cyberespionage campaign targeting government officials and citizens in the Czech Republic and Taiwan through spearphishing emails containing malicious ZIP attachments....

A multi-step ClickFix attack was detected using brand squatting, clipboard decoys, and multi-stage payloads disguised as logs or images. The threat actor registered lirunex[.]tech, mimicking the legitimate payment platform lirnunex.com, and launched an evasive attack....

In March and April 2026, threat actor TA4922 significantly increased its operational tempo. The team identified a series of campaigns demonstrating a major evolution in the actor's malware tooling. The attacker relied primarily on human resources and business-themed lures to target victims....

A large-scale software supply chain campaign dubbed Megalodon leveraged malicious GitHub Actions workflow modifications to steal sensitive credentials from affected repositories. Analysis revealed credential harvesting capabilities targeting GitHub tokens, cloud credentials, API keys, database secrets, and private keys....

WeedHack is a large-scale Malware-as-a-Service (MaaS) operation that targets Minecraft players through trojanized mods, clients, and cheats distributed via SEO poisoning, YouTube videos, and malicious websites....