Threat Research

Our research examined the April 22 Checkmarx KICS and April 24 elementary-data incidents as part of a broader TeamPCP supply chain campaign involving at least seven confirmed waves. The KICS attack used multichannel poisoning across Docker Hub, VS Code/OpenVSX, and GitHub Actions, later enabling the hijack of @bitwarden/cli through stolen npm tokens....

In Q1 2026, an Iran-linked espionage campaign targeted at least nine organizations across four continents, affecting sectors such as manufacturing, education, finance, government, and professional services....

This campaign involves a trojanized version of the legitimate HWMonitor application used to deliver the STX RAT malware. The attackers leveraged DLL sideloading to execute malicious payloads through trusted binaries, helping evade detection....

CVE-2026-41940 is a severe authentication bypass flaw (CVSS score: 9.8) impacting cPanel and WHM. The vulnerability allows remote attackers to circumvent the authentication mechanism and obtain unauthorized access without requiring legitimate credentials....

The EtherRAT malware family was first identified by Sysdig in December 2025, initially exploiting CVE-2025-55182 (React2Shell) on Linux servers. In March 2026, Atos reported a Windows-based EtherRAT campaign with activity traced back to December 2025....

We investigated reports of a fake Claude AI website spreading malware. At first, the attack appeared similar to known PlugX campaigns due to shared techniques. Closer analysis revealed a first-stage DonutLoader payload and a previously undocumented backdoor....

This campaign demonstrates how ClickFix-style social engineering continues to evolve into an effective initial access technique for delivering sophisticated malware frameworks....

UAT-8302 is a sophisticated China-linked APT group targeting South American government entities since late 2024 and southeastern European agencies in 2025. After gaining access, the group deploys several custom malware families previously associated with other China-nexus threat actors....

In March 2026, ThreatLabz uncovered an attack chain targeting AI agentic workflows through a malicious OpenClaw framework skill. The attackers used manipulated installation instructions to trick autonomous AI agents into downloading and executing a remote MSI package....

The InstallFix campaign is a social engineering attack targeting users searching for Anthropic’s Claude AI through fake installation pages promoted via Google Ads. It uses convincing, OS-specific instructions to trick users into executing malicious PowerShell commands....

A newly identified set of China-aligned campaigns is targeting government entities and critical infrastructure across South, East, and Southeast Asia, plus one NATO member state. This activity is being tracked as SHADOW-EARTH-053....

The increasing reliance on AI has led to a surge in AI-driven tools. However, these platforms can also be exploited for malicious purposes, as demonstrated in the case of Kuse.ai. While Kuse is generally regarded as a reliable workplace solution, threat actors continuously develop new social engineering tactics....

We identified phishing emails falsely claiming mailbox storage limits are exceeded. They include shortened links that redirect to fake “Cloud” storage pages. The messages use urgent language like “Cloud storage is full” and “Permanent data loss warning.” Users are pressured through multiple redirects to pages mimicking real cloud dashboards....

In March 2026, we identified over twenty phishing apps on the Apple App Store posing as well-known crypto wallets. After being opened, these apps redirect users to web pages that mimic the App Store and deliver tampered versions of legitimate wallet applications. These malicious apps are deliberately built to capture recovery phrases and private keys....

The Xinference PyPI supply chain attack involved malicious package versions (2.6.0–2.6.2) that executed hidden, obfuscated code when imported. The payload used techniques like base64 encoding to evade detection and silently run in the background....