Threat Research

Labs identified a web shell dubbed “EncystPHP” with advanced capabilities such as remote command execution, persistence, and web shell deployment. The attacks began in early December last year and spread through exploitation of the FreePBX vulnerability CVE-2025-64328. The activity is linked to the hacker group INJ3CTOR3, first observed in 2020 targeting CVE-2019-19006....

Multiple threat actors, including Russia- and China-linked state-sponsored groups as well as financially motivated attackers, are actively exploiting the critical CVE-2025-8088 flaw in WinRAR. The vulnerability, patched in July 2025, allows path traversal to drop malicious files into the Windows Startup folder, enabling persistence and payload delivery....

We uncovered an attack chain that uses SEO poisoning to lure users searching for legitimate software. Threat actors abuse GitHub by hosting malicious ZIP files in fake repositories. These archives impersonate real applications and include a harmful batch (.bat) file....

PeckBirdy is a JavaScript-based command-and-control framework used by China-aligned APT actors since 2023. It is designed for cross-environment execution, enabling flexible and scalable deployment. Two modular backdoors, HOLODONUT and MKDOOR, extend its capabilities beyond the core framework....

A software supply chain attack targeted users of EmEditor by distributing a compromised installer that delivered multistage information-stealing malware. The malicious installer enabled credential theft, data exfiltration, and lateral movement, while delaying execution of malicious behavior to evade early detection....

Between February and September 2025, multiple credential-harvesting campaigns were attributed to BlueDelta, a Russian state-sponsored threat group linked to the GRU. These operations expand on BlueDelta’s ongoing credential-theft activity previously documented in Insikt Group’s December 2025 report. During 2025, BlueDelta targeted a limited but distinct set of victims....

A short-lived infostealer campaign active in mid-January 2026 targeted users through spoofed software installers packaged in consistently structured ZIP archives. The operation is identifiable by a unique behavioral hash and abuses a trusted executable to sideload a malicious payload, ultimately executing secondary-stage infostealers....

VoidLink is a sophisticated malware framework composed of custom loaders, implants, rootkits, and modular plugins that enable persistent access to Linux systems. It is built to function reliably in cloud and containerized environments, with a strong focus on long-term operations....

Labs have uncovered a multi-stage malware campaign mainly targeting users in Russia. The attack starts with social engineering via business-themed documents that appear routine and harmless. These files distract victims with fake tasks or status messages while malicious processes run in the background....

DeadLock is a low-profile ransomware discovered in July 2025 that stands out for operating without known affiliates or a data leak site. Despite limited victim visibility, the group employs an unusual technique by abusing Polygon smart contracts to rotate or distribute proxy server addresses, enabling stealthy and decentralized infrastructure management....

Evelyn Stealer is a multistage information-stealing campaign that abuses the Visual Studio Code extension ecosystem to compromise software developers....

We identified phishing emails impersonating financial institutions, framed as alerts about expired W-8BEN tax forms. The attackers rapidly rotate domains to evade detection. Phishing pages use cloaking techniques and remain active only briefly....

UAT-8837 is a China-nexus threat actor assessed with medium confidence to specialize in gaining initial access to high-value organizations, with a clear focus on critical infrastructure targets in North America since at least 2025....

CastleLoader is a stealthy first-stage malware used in attacks against government organizations and various industries. It employs a multi-stage execution chain—Inno Setup, AutoIt, and process hollowing—to bypass security defenses. The final payload is deployed only in memory after process manipulation, evading traditional static detection....

Labs identified a new phishing campaign active in the wild. The attack delivers a new variant of Remcos, a lightweight commercial RAT with extensive capabilities. These include system resource control, remote surveillance, network operations, and agent management. I performed an in-depth analysis of the campaign’s full infection chain....