Threat Research

UNC1549 often gained initial access by blending targeted social engineering with the use of compromised third-party accounts. Using credentials stolen from vendors or partners, the group took advantage of legitimate trust relationships to enter victim environments....

The Lynx ransomware intrusion began with an RDP login using stolen credentials, quickly followed by lateral movement to a domain controller using a compromised admin account. The attacker created multiple impersonation-style privileged accounts, mapped virtualization systems and file shares, and gathered sensitive data before exfiltrating it via temp.sh....

RoningLoader is a new, advanced loader used in a recent DragonBreath (APT-Q-27) campaign that distributes a modified gh0st RAT through trojanized NSIS installers posing as legitimate apps like Chrome and Microsoft Teams....

We uncovered two linked 2025 malware campaigns that used large-scale brand impersonation to deliver Gh0st RAT variants to Chinese-speaking users. Across these operations, attackers evolved from simple droppers to multi-stage chains abusing legitimate signed software to evade defenses....

Rhadamanthys malware has evolved considerably, showcasing continuous advancements in cybercriminal tactics. Initially discovered in 2022, it began as a sophisticated information stealer targeting credentials, financial data, and system details....

In August 2025, Kraken— a Russian-speaking ransomware group that emerged from the former HelloKitty cartel— conducted big-game hunting and double-extortion attacks. Cisco Talos observed the group exploiting SMB vulnerabilities for initial access, then using Cloudflared for persistence and SSHFS for pre-encryption data exfiltration....

The Agenda ransomware group (Qilin) has been observed deploying Linux-based binaries on Windows hosts using legitimate remote management and file transfer tools. This cross-platform technique evades traditional Windows-focused detections, including many EDR solutions....

APT37, a North Korea–linked threat group, conducted a social engineering campaign masquerading as an academic forum invitation from a South Korean national security think tank. The lure referenced a real event titled “Trump 2.0 Era: Prospects and South Korea’s Response” to gain credibility....

A GLS-themed ClickFix social-engineering campaign in Italy delivered the Remcos RAT by tricking users into manually running malicious commands. ClickFix campaigns have risen over the past year because manual execution helps attackers evade AV, sandbox, and EDR detection....

In early 2025, researchers identified a surge of ransomware attacks abusing the SimpleHelp Remote Monitoring and Management (RMM) platform, widely used by MSPs and software vendors. Threat groups such as Medusa and DragonForce exploited three vulnerabilities — CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728 — to infiltrate downstream customer networks....

On October 6, 2025, the developer “Loadbaks” released Vidar Stealer v2.0 on underground forums. The malware was rewritten entirely in C, improving speed and efficiency through a multithreaded architecture. Its launch coincided with a decline in Lumma Stealer activity, driving threat actors toward Vidar and StealC....

A vulnerability in Gladinet’s Triofox platform, tracked as CVE-2025-12480, allowed attackers to bypass authentication and access configuration pages without credentials. The flaw enabled arbitrary file upload and code execution through abuse of the platform’s built-in antivirus feature, and was exploited by the threat actor UNC6485....

CHAMELEON_NET is a targeted malspam campaign delivering the DarkTortilla .NET loader to distribute FormBook. Infection starts with a phishing email and a .bz2 archive that drops an obfuscated JavaScript file. The JS launches a VB.NET loader that decrypts an embedded DLL via an index-based XOR and reflectively loads it in memory....

Researchers have discovered a new Android spyware family called LANDFALL. Attackers delivered it through a zero-day flaw (CVE-2025-21042) in Samsung’s image processing library. This issue is part of a broader pattern seen across multiple mobile platforms. The vulnerability was exploited in the wild before Samsung patched it in April 2025....

Detects a suspicious CertReq execution that initiates a file download. This activity is commonly associated with attackers attempting to retrieve additional payloads or configuration files....