Threat Research

A recent malware campaign hosted on GitHub abuses popular lures like “Free VPN for PC” and “Minecraft Skin Changer” to trick users into executing a malicious dropper named Launch.exe. The campaign uses techniques such as process injection, DLL side-loading, and stealthy execution to deploy Lumma Stealer, an information-stealing malware....

In May 2025, threat actors were found hosting malicious WordPress sites to distribute tampered versions of the legitimate NetSupport Manager Remote Access Tool (RAT). This report examines the techniques and tools used to deploy the NetSupport RAT, with a focus on malicious JavaScript....

Detects unusual process activity where Sysmon is observed as the parent process—behavior that may indicate exploitation attempts, such as those associated with CVE-2022-41120....

This report examines the tools used by threat group TGR-CRI-0045, which appears to operate opportunistically. The group has targeted organizations in Europe and the U.S. across sectors like finance, manufacturing, tech, and logistics. They used leaked keys to sign malicious payloads via ASP.NET View State deserialization, enabling in-memory execution with minimal artifacts....

An active delivery site was recently identified hosting a weaponized HTA script that silently deploys the infostealer “NordDragonScan” onto victim systems. Once executed, NordDragonScan performs host reconnaissance, exfiltrates documents, harvests entire Chrome and Firefox browser profiles, and captures screenshots....

BERT (also known as Water Pombero) is a recently identified ransomware group targeting both Windows and Linux systems, with confirmed attacks in Asia, Europe, and the US. Their victims span healthcare, technology, and event services sectors. BERT employs PowerShell loaders, privilege escalation, and simultaneous file encryption to execute efficient and evasive attacks....

Detects possible exploitation of CVE-2025-49144 — a local privilege escalation vulnerability affecting Notepad++ installers version 8.8.1 and earlier....

Our team uncovered a cyber-espionage campaign by APT36 (Transparent Tribe), targeting Indian defense personnel. In a tactical shift, the group now focuses on Linux systems, especially BOSS Linux used by Indian government agencies. Phishing emails deliver a ZIP file containing a malicious .desktop shortcut that executes on user interaction....

Over the past month, there has been a noticeable surge in scanning activity linked to a new botnet campaign exploiting two high-risk vulnerabilities: CVE-2024-3721 and CVE-2024-12856. Both vulnerabilities have been publicly disclosed and are currently being actively targeted, presenting serious threats to device security and overall network stability....

In March 2025, Apache disclosed CVE-2025-24813, a critical RCE vulnerability in Apache Tomcat affecting versions 9.0.0.M1 to 9.0.98, 10.1.0-M1 to 10.1.34, and 11.0.0-M1 to 11.0.2. Two additional RCE flaws, CVE-2025-27636 and CVE-2025-29891, were revealed in Apache Camel, impacting versions from 3.10.0 to 3.22.3 and 4.8.0 to 4.10.1....

XWorm is a widely used and evolving remote access trojan (RAT) known for features like keylogging, remote access, and data theft. Its modular design, ease of use, and regular updates make it attractive to cybercriminals. Threat actors often use XWorm in attacks on the software supply chain and gaming sectors....

Attackers are increasingly leveraging Windows shortcut (.lnk) files as a stealthy malware delivery method. These files, designed to provide quick access to other files or programs, are being weaponized to execute malicious payloads while mimicking legitimate shortcuts. A sharp rise in malicious LNK samples—from 21,098 in 2023 to 68,392 in 2024—highlights their growing use....

A recent investigation uncovered a new email-based attack distributing a Remote Access Trojan known as DCRAT. The attacker is posing as a Colombian government entity to target organizations within Colombia. To evade detection, the threat actor employs several techniques, including password-protected archives, obfuscation, steganography, base64 encoding, and multiple file drops....

Labubu, part of "The Monsters" collectible series by toy company POP MART, has grown significantly in popularity. This surge has coincided with a rise in newly registered domains (NRDs) linked to Labubu and POP MART. Many of these domains are being used for cryptocurrency scams, gambling sites, or impersonating official Labubu and POP MART pages....

The intrusion started in November 2024 with a password spray attack against an exposed RDP server. The attacker attempted multiple logins over several hours using accounts and IPs flagged in OSINT sources. Eventually, they gained RDP access with a compromised account and executed discovery commands to enumerate users and systems....