Threat Research

In March 2026, ThreatLabz detected multiple malicious typosquatting domains built using AI website generators. Cybercriminals are using these tools to rapidly scale convincing lures, ranging from simple credential harvesting to ClickFix campaigns delivering Remote Access Trojans (RATs)....

Researchers identified a cryptocurrency clipper malware that spreads through malicious .LNK shortcut files and propagates like a worm via removable drives. It launches a bundled Tor client and communicates with hidden .onion C2 servers through a local SOCKS5 proxy (localhost:9050) to evade detection....

A malicious PyPI package masquerading as an AI assistant, myra-ai-assistant, was found to contain TITAN, a Python-based infostealer that uses OCR-driven screen monitoring to capture sensitive information such as login pages, emails, IDE sessions, and financial transactions....

ErrTraffic is a Malware-as-a-Service (MaaS) framework used to distribute malware through ClickFix social engineering lures embedded in compromised WordPress websites. The framework incorporates a Traffic Distribution System (TDS) and uses EtherHiding to conceal its command-and-control infrastructure within the blockchain....

Researchers found two new Windows variants of the SprySOCKS backdoor, previously known only on Linux. Linked to the Chinese group FishMonger (I-SOON), it active targeted government entities between 2023 and 2024. Telemetry confirmed victims across Honduras, Taiwan, Thailand, and Pakistan....

Researchers discovered dozens of malicious wallpapers on Steam Workshop that abused Wallpaper Engine's Application Wallpaper feature to execute malware on users' PCs. The campaign distributed threats such as DarkKomet backdoors, Lumma and Vidar infostealers, crypto miners, and other credential-stealing malware....

A PRC-nexus threat actor, UNC6508, targeted North American academic, medical, and military research institutions. The sophisticated campaign remained entirely undetected within target networks for over a year. Attackers initially breached networks by compromising externally facing web applications....

OceanLotus (APT32) has shifted its focus from broader regional operations to a more targeted government within Vietnam. Between 2024 and 2026, the group used its SPECTRALVIPER backdoor in a supply-chain attack targeting stock investors and a long-term intrusion against a Vietnamese infrastructure and transport company....

A threat actor is leveraging AI brand impersonation by registering lookalike .ru domains that mimic DeepSeek, MiniMax, and ChatGPT, complete with cloned branding, AI chat interfaces, and the DeepSeek whale mascot to target Russian-speaking users....

ShinyHunters exploited the critical zero-day vulnerability CVE-2026-35273 in Oracle PeopleSoft's Environment Management component to compromise organizations, with a strong focus on the higher education sector....

Since November 2025, the Shai-Hulud V2 campaign has evolved significantly beyond typical software supply chain attacks. Over the last six months, the threat expanded from npm into PyPI and shifted focus from compromised maintainers to CI/CD abuse. The attackers undermined trust in SLSA provenance and OIDC-based publishing workflows without breaking cryptographic guarantees....

A large-scale SEO poisoning campaign is exploiting Azure DNS zone takeovers through abandoned cloud NS delegations. The threat actor hijacked orphaned DNS zones and hosted Thai-language gambling content under the trusted domains of 163 organizations across 30+ countries, including government agencies, healthcare providers, financial institutions, and more....

Threat actors are exploiting growing interest in artificial intelligence by distributing malicious files disguised as AI-related guides and learning materials. The attack uses a complex, multi-stage infection chain with heavily obfuscated scripts and AutoHotkey-based loaders to deploy a .NET RAT and AsyncRAT directly into memory, enabling remote access....

OnionDrop is a sophisticated multi-stage malware loader designed to deliver InfoStealers such as LegionLoader (CurlyGate), CGrabber, and Vidar Stealer at scale....

OP-512 is a newly identified, likely China-linked cyberespionage cluster that targeted a compromised IIS web server to conduct long-term intelligence-gathering operations....