Threat Research

Researchers uncovered and analyzed the full source code of an AI-driven AiTM phishing platform called “UPMI ULTIMATE,” linked to a group named “Team Unlimited.” The code was retrieved from an exposed central server that manages licensing, intelligence sharing, and remote control for all client instances....

EvilTokens is a newly identified phishing-as-a-service (PhaaS) kit that enables large-scale Microsoft device code phishing attacks, leveraging social engineering techniques and rapidly adopted by cybercriminals for Adversary-in-the-Middle (AitM) and Business Email Compromise (BEC) operations....

A cyberespionage campaign discovered in early 2026 involved three distinct threat clusters Paper Werewolf, Versatile Werewolf, and Eagle Werewolf targeting victims using malware disguised as Starlink registration services and drone training applications....

A growing share of cyber incidents now stems from supply chain attacks. Attackers use tactics like malicious open-source libraries or hijacked developer accounts. These compromised libraries spread widely, affecting countless applications and services. In March 2026, a trojanized LiteLLM Python library was uploaded to PyPI, infecting systems....

Researchers uncovered multiple cyber-espionage campaigns targeting a Southeast Asian government organization. The investigation traced Stately Taurus activity (June–Aug 2025), involving USB-spread USBFect (HIUPAN) malware deploying a PUBLOAD backdoor....

A supply chain attack compromised the LiteLLM AI proxy package on PyPI, with malicious versions delivering a multi-stage payload that harvested credentials, enabled Kubernetes lateral movement, and established persistent backdoor access for remote code execution....

A stealthy malware campaign is abusing digitally signed remote monitoring and management (RMM) tools to gain persistent access and evade detection. The attack leverages legitimate file-hosting updater mechanisms to execute cloud-syncing processes, enabling disguised traffic and potential data exfiltration....

Pawn Storm, a Russia-aligned APT group, is targeting Ukraine’s defense supply chain and allied nations. It deploys PRISMEX, a modular malware suite using steganography, COM hijacking, and cloud-based C2. The group exploited multiple flaws, including a Windows zero-day (CVE-2026-21513). Malicious .lnk files via CVE-2026-21509 may chain with CVE-2026-21513, per Akamai findings....

An active phishing campaign is impersonating a cloud file storage service and major e-signature platforms. Instead of stealing passwords, it exploits Microsoft’s legitimate Device Code OAuth flow. Victims are tricked into entering a verification code on Microsoft’s real login page. The attacker intercepts OAuth tokens, gaining persistent access to accounts and data....

A targeted campaign is using phishing emails with fake resume (CV) attachments to infect French-speaking corporate environments with heavily obfuscated VBScript malware....

AVrecon malware has been used to compromise routers and IoT devices across more than 160 countries, enabling threat actors to convert infected systems into residential proxies. These compromised devices were sold through the SocksEscort service, which facilitated access to hundreds of thousands of infected endpoints since 2020....

Researchers are tracking ongoing Contagious Interview campaign activity by NICKEL ALLEY, a North Korea–linked threat group. The group targets tech professionals using fake job postings and deceptive interview processes. Victims are tricked into downloading malware during these staged recruitment steps....

A large-scale malware campaign leveraged AI-driven “vibe coding” to generate malicious code components, lowering the barrier for threat actors to create and distribute malware. The campaign used hundreds of malicious ZIP files impersonating popular software—such as AI tools, game mods, and utilities—to deliver multiple variants of the WinUpdateHelper.dll payload....

UNC2814 is a PRC-aligned cyber espionage group active since at least 2017. It targets telecom and government sectors to steal communications intelligence and PII. The group has operated in 42 confirmed countries and over 70 suspected across multiple regions Africa, Asia, and the Americas....

In late February 2026, analysts detected malicious activity on Android devices linked to the Keenadu backdoor. Keenadu is a firmware-level infection embedded in libandroid_runtime.so, injecting itself into the Zygote process. Since Zygote spawns all apps, this gives attackers near-total control over infected devices....