Threat Research

RansomHouse is a ransomware-as-a-service operation run by the group known as Jolly Scorpius. Recent malware samples show a major upgrade in the group’s encryption capabilities. This analysis examines the encryption changes and their implications for defenders. Jolly Scorpius employs a double extortion model, combining data theft with file encryption....

UAT-9686, a suspected Chinese-nexus APT actor, is actively targeting Cisco Secure Email Gateway (AsyncOS/ESA) and Cisco Secure Email and Web Manager (SMA). The group exploits non-standard appliance configurations to deploy a custom persistence tool called AquaShell, along with reverse tunneling and log-cleaning utilities to maintain stealthy, long-term access....

Detects instances where a web browser process opens an HTML file from a user’s Downloads folder. This behavior may be indicative of phishing activity, in which threat actors distribute HTML attachments to users. Opening such attachments can result in the execution of malicious scripts or the delivery of malware....

In mid-August 2025, researchers observed the misuse of the legitimate Velociraptor DFIR tool as part of suspected ransomware precursor activity. Further investigation across customer environments indicated with high confidence an intent to deploy Warlock ransomware. Warlock is operated by the cybercrime group tracked as GOLD SALEM....

BlackForce is an actively evolving phishing kit first observed in August 2025, designed to conduct advanced Man-in-the-Browser (MitB) attacks that enable real-time bypass of multi-factor authentication (MFA). It has been used to impersonate over 11 major brands, including Disney, Netflix, DHL, and UPS....

On December 3, 2025, a critical unauthenticated RCE vulnerability in React Server Components, tracked as CVE-2025-55182 (“React2Shell”), was publicly disclosed. Shortly thereafter, the team observed widespread exploitation by diverse threat actors, from cybercriminals to suspected espionage groups....

Ashen Lepus (aka WIRTE), an APT linked to Hamas-affiliated interests, has conducted a long-running espionage campaign against governmental and diplomatic organizations across the Middle East....

During October and November 2025, a series of campaigns targeting the energy, defense, pharmaceutical, and cybersecurity sectors displayed traits consistent with earlier operations linked to Void Rabisu (also known as ROMCOM, Tropical Scorpius, or Storm-0978)....

A financially motivated threat actor deploying DeadLock ransomware has adopted new tactics, including a previously unknown BYOVD loader that exploits Baidu Antivirus driver vulnerability CVE-2024-51324 to disable EDR protections....

In June 2025, we identified a new ransomware family called 01flip targeting a small set of victims in the Asia-Pacific region. Written entirely in Rust, it leverages cross-compilation to support multiple platforms. The attackers appear to be financially motivated and likely executed the operation manually....

We identified a new social-engineering tactic employed by the Belarusian threat actor White Lynx (also known as Ghostwriter, Storm-0257, UNC1151). The method relies on a malicious macro embedded in a Word document designed to evade detection and analysis. Once macros are enabled, the user is presented with a fake CAPTCHA window prompting them to validate a six-character string....

A critical React Server Components vulnerability, CVE-2025-55182, allows unauthenticated remote code execution and has already been exploited in the wild. Attackers have conducted automated scanning, reconnaissance, credential theft, and deployed malicious scripts, droppers, and reverse shells, including activity linked to a PRC-associated access broker....

ClickFix is a social-engineering technique that tricks users into pasting malicious scripts—often injected into the clipboard through pastejacking—into terminals or run windows, leading to system compromise. Since September 2025, detections have surged to over 200 compromised sites daily, driven by lures that mimic Google’s “Aw Snap!” error or fake browser update pages....

UDPGangster is a UDP-based backdoor linked to the MuddyWater threat group, active in cyber-espionage across the Middle East. It enables remote control of infected systems, supporting command execution, file exfiltration, and payload delivery over stealthy UDP channels. Recent campaigns have targeted users in Turkey, Israel, and Azerbaijan....

WARP PANDA is a newly identified, highly advanced China-nexus threat actor targeting VMware vCenter and ESXi environments across U.S. organizations in 2025. The group demonstrates strong technical skill, exceptional OPSEC, and deep expertise in cloud and virtualized systems....