Threat Research

UNC6692 conducted a multi-stage intrusion campaign using persistent social engineering, impersonating IT helpdesk staff via Microsoft Teams to trick victims into installing a fake fix for email issues. The attack delivered AutoHotKey-based loaders that executed scripts and deployed a malicious browser extension (SNOWBELT) for persistence and control....

On March 12, 2026, ThreatLabz identified a malicious ZIP archive that used military-themed documents as bait to target Chinese-speaking users. The operation relied on a tampered SumatraPDF executable to deliver an AdaptixC2 Beacon, which eventually led to the installation of Visual Studio Code on compromised systems....

A new variant of the LOTUSLITE backdoor, attributed with moderate confidence to Mustang Panda, is targeting India’s banking sector using DLL sideloading with legitimate Microsoft-signed executables. The malware communicates with a dynamic DNS-based C2 over HTTPS and enables remote shell access, file operations, and session control, indicating espionage-driven objectives....

The attack starts with SEO poisoning, luring users searching for YubiKey Manager into downloading a malicious ISO file. It then executes a complex chain using DLL sideloading and PowerShell to evade defenses by adding Windows Defender exclusions. An obfuscated AutoIt script disguised as Health.exe decrypts and decompresses the Lumma Stealer payload....

Void Dokkaebi (Famous Chollima) has advanced from targeted social engineering into a self-spreading supply chain threat. Compromised developer repositories act as infection hubs, propagating malware across the developer ecosystem like a worm. It exploits trusted workflows using malicious VS Code tasks and injected code that runs during normal development....

Threat actors are increasingly abusing the open-source virtualization tool QEMU as a Living-off-the-Land (LOLBins) technique to conceal malicious activity within virtual machines, effectively bypassing endpoint security and reducing forensic visibility on host systems....

The team tracked a cargo theft threat actor’s post-compromise activity for over a month within a decoy environment run by Deception.pro. The attacker used multiple remote access tools to maintain persistence, including a previously unknown signing-as-a-service capability....

CrySome RAT represents a modular, userland-focused post-exploitation framework emphasizing persistence, evasion, and operator control(Keylogger, Credential harvesting, RDP, HVNC). While it does not exhibit kernel-level sophistication, its combination of defense evasion techniques and surveillance capabilities makes it effective against poorly monitored environments....

PureRAT is a sophisticated remote access trojan that uses a multi-stage, fileless infection chain initiated by a malicious LNK file and PowerShell commands. It employs steganography to hide payloads within PNG images, along with techniques like UAC bypass, process hollowing, and anti-VM checks to evade detection....

IoT devices are increasingly targeted for large-scale attacks due to widespread use, poor patching, and weak security. Threat actors exploit known vulnerabilities to gain access and deploy persistent malware. These infections can spread across devices and enable DDoS attacks. A recent campaign abused CVE-2024-3721 in TBK DVR devices to deliver the Nexcorium Mirai variant....

We detected active automated scans attempting to exploit CVE-2023-33538 in end-of-life TP-Link routers (TL-WR940N, TL-WR740N, TL-WR841N variants). The payloads involved Mirai-like malware designed to download and execute on vulnerable devices. This activity followed CISA adding the CVE to its Known Exploited Vulnerabilities catalog in June 2025....

BlobPhish is an advanced credential-phishing campaign active since 2024 that generates phishing pages directly within the victim’s browser using in-memory blob objects, bypassing traditional network and file-based detection....

Threat actors are abusing AI workflow automation platforms like n8n to conduct sophisticated phishing campaigns by sending automated emails that deliver malware and fingerprint victim devices. By leveraging trusted services and integrations with tools like Slack, Gmail, and AI models, attackers can bypass traditional security controls and scale their operations....

Users searching for “TestDisk” are redirected via SEO poisoning to a malicious site (testdisk[.]dev). The site uses JavaScript to generate one-time URLs that deliver a fake “PhotoRec” installer. Victims download a ZIP and run testdisk-7.3.exe, which is actually a renamed Microsoft Setup binary....

JanelaRAT is a malware family named after the Portuguese word “janela,” meaning “window.” It targets financial and cryptocurrency data from selected banks and institutions in Latin America. The malware is a modified version of BX RAT and has been active since June 2023....