Threat Research

Researchers identified multiple malicious skills on OpenClaw’s ClawHub marketplace that abused the AI agent ecosystem to deliver macOS infostealers, evade security scanning, and conduct novel agentic attacks such as runtime affiliate injection and agentic front-running for financial gain....

We detected a cryptocurrency-mining campaign exploiting CVE-2026-33017, an unauthenticated RCE vulnerability in Langflow. The attack marks a shift in delivery vectors, specifically targeting exposed AI application endpoints. The malware disables host-level security controls, deploys a custom miner, and establishes persistence....

Social engineering–driven malware campaign that impersonates the Indian Income Tax Department to lure victims into downloading a malicious archive from a fraudulent website....

A single ClickFix prompt on an unmonitored endpoint granted attackers unchallenged initial access. The breach quickly expanded to 11 hosts due to critical gaps in endpoint security coverage. The custom "Potemkin" loader used a deterministic DGA and custom cipher to deploy RMMProject. RMMProject RAT bypassed Chrome's App-Bound Encryption and embedded a LuaJIT scripting engine....

Threat actors are distributing a Rust-based cryptocurrency clipboard hijacker through a coordinated ecosystem of phishing websites, fake GitHub and SourceForge projects, AI-generated YouTube content, and manipulated reputation signals....

This campaign leverages social engineering through compromised WhatsApp accounts to distribute malicious VBScript (VBS) attachments, which ultimately deploy malware in the form of a preconfigured ManageEngine Endpoint Central agent on victim systems....

Discovered by Trusteer in May 2026, UnregStealer is a bespoke, human-operated trojan campaign targeting financial institutions in Latin America (LATAM). Unlike typical LATAM banking trojans that use automated infection chains and compiled malware, UnregStealer relies on a live operator who monitors victim sessions in real time and deploys payloads manually....

FortiBleed is a large-scale credential compromise campaign targeting internet-facing Fortinet FortiGate firewalls and SSL VPN gateways using stolen and cracked credentials rather than a software vulnerability....

The attack begins with a fake CAPTCHA page that socially engineers macOS users into executing a malicious Terminal command, which downloads and launches a hidden DMG-based malware installer from attacker-controlled infrastructure....

FortiBleed refers to the exposure and abuse of leaked credentials associated with approximately 74,000 internet-facing Fortinet devices, including FortiGate firewalls and SSL VPN gateways....

Threat actors are leveraging AI-generated deepfake audio videos hosted on legitimate SaaS and content delivery platforms to conduct phishing campaigns targeting social media users....

Analysis of the Mastra npm supply chain compromise revealed that attackers abused a trusted package ecosystem by introducing a malicious postinstall payload through a typosquatted dependency named easy-day-js....

Researchers analyzed the robust EDR-killing toolset of the prominent ransomware gang Gentlemen. Since early 2026, the group has become one of the most active threats in the ecosystem. They stand out by maintaining sophisticated tools designed to disrupt security software. Unlike peers, Gentlemen targets Southeast Asia, South America, and Western Europe over the US....

In March 2026, ThreatLabz detected multiple malicious typosquatting domains built using AI website generators. Cybercriminals are using these tools to rapidly scale convincing lures, ranging from simple credential harvesting to ClickFix campaigns delivering Remote Access Trojans (RATs)....

Researchers identified a cryptocurrency clipper malware that spreads through malicious .LNK shortcut files and propagates like a worm via removable drives. It launches a bundled Tor client and communicates with hidden .onion C2 servers through a local SOCKS5 proxy (localhost:9050) to evade detection....