Threat Research

SmokeLoader (also known as Smoke or Dofoil) is a long-standing modular malware loader active since 2011, primarily used to deliver second-stage payloads like trojans, ransomware, and info stealers. It features a plugin-based architecture enabling credential theft, browser hijacking, crypto mining, and DDoS attacks....

Maranhão Stealer is spreading through social engineering sites that offer pirated software, cracked games, and cheats, using cloud services for delivery. Written in Node.js and packaged with Inno Setup, it mirrors trends seen in modern stealer campaigns....

This FLASH is being issued to share Indicators of Compromise (IOCs) linked to recent malicious cyber activities carried out by cybercriminal groups UNC6040 and UNC6395. These groups are responsible for a growing number of data theft and extortion incidents and have recently been observed targeting organizations' Salesforce platforms through various initial access methods....

In August 2025, Labs uncovered an SEO poisoning campaign targeting Chinese-speaking users. The attackers boosted the search rankings of malicious sites using SEO plugins and registered deceptive domains that closely resembled legitimate software websites....

EvilAI disguises itself as legitimate productivity or AI tools, using professional interfaces and valid digital signatures to avoid detection. It has spread globally, with the greatest impact seen in Europe, the Americas, and the AMEA region. Targeted sectors include manufacturing, government/public services, and healthcare....

The Gonepostal malware has been observed in an espionage campaign linked to KTA007 (aka Fancy Bear/APT28), a Russian state-sponsored group tied to GRU Unit 26165. The malware consists of a dropper DLL and a password-protected Outlook macro file (VbaProject.OTM) that enables backdoor access via email-based C2....

Since early August 2025, a sophisticated malvertising campaign has been observed where attackers abuse GitHub’s repository forking system to deliver a fake GitHub Desktop client. The attackers create dangling commits by forking legitimate repositories, injecting malicious commits, and then deleting the fake user accounts....

AdaptixC2 is an open-source post-exploitation framework recently spotted in real-world threat campaigns. It enables command execution, file transfers, and data exfiltration on compromised systems. Its low profile and high customizability make it a flexible and dangerous tool for attackers. Our research explores its capabilities to help defenders detect and mitigate its use....

A malware campaign active since May 2025 has been targeting Chinese-speaking users, delivering multiple remote access trojans, including ValleyRAT, FatalRAT, and a newly identified variant dubbed kkRAT. kkRAT shares code similarities with Ghost RAT and Big Bad Wolf (大灰狼), commonly used by China-based threat actors....

Threat actors are registering domains resembling the 2026 FIFA World Cup to host suspicious or malicious content With ticket access rolling out in phases over a year in advance, attackers are ramping up early via fraudulent sites. A spike in FIFA-related domain registrations was observed in June 2025, a year ahead of the event....

On 19 August 2025, a sophisticated malware delivery campaign was uncovered involving the abuse of GitHub repositories and Google Ads. Threat actors used paid ad placements to redirect users to a lookalike domain hosting a malicious download. By embedding commit-specific GitHub links, the download appeared legitimate, bypassing user suspicion....

The intrusion began in September 2024 via a malicious EarthTime installer that deployed SectopRAT and connected to its C2 server. Persistence was established by moving the file and adding a Startup shortcut, followed by creating a local admin account. The actor deployed SystemBC, accessed the host via RDP, ran discovery commands, and performed a DCSync attack....

North Korean-aligned threat group APT37 (aka ScarCruft, Ruby Sleet, Velvet Chollima) has been observed using advanced malware in recent campaigns targeting individuals linked to the North Korean regime and human rights activism in South Korea....

A new cyber-espionage campaign dubbed Operation BarrelFire has been uncovered, attributed to a newly tracked threat group named Noisy Bear. Active since April 2025, Noisy Bear has primarily targeted entities in Kazakhstan's Oil and Gas sector, including KazMunaiGas (KMG). The attack begins with a phishing email containing a ZIP file disguised as an internal KMG document....

We’ve identified an SMS phishing (smishing) campaign posing as the California Franchise Tax Board. The fraudulent websites use domain names that combine terms like “FTB,” “CA,” and “gov” to deceive users. These sites falsely promise tax refunds, but their true purpose is to harvest sensitive personal information, including Social Security numbers, addresses, and payment details...