Threat Research

TransferLoader is a newly identified malware loader active since February 2025, comprising a downloader, loader, and backdoor module. It was observed deploying Morpheus ransomware at a U.S. law firm. The malware uses heavy obfuscation to hinder analysis and enables remote command execution. Its backdoor leverages IPFS as a fallback for C2 updates....

In January 2025, researchers uncovered a series of attacks delivering DarkCloud Stealer, a sophisticated malware that uses AutoIt scripting to evade detection. The attack chain involved hosting the malware on a file-sharing server and deploying multi-stage, obfuscated payloads, making it difficult for traditional security tools to detect....

Lumma Stealer, active since mid-2022, is a Russian-origin infostealer sold via a Malware-as-a-Service model on Telegram. It targets credentials, session tokens, crypto wallets, and personal data from infected devices. The threat actor uses clever tactics like fake CAPTCHA challenges and social engineering during software downloads....

In February 2025, TA406 launched phishing campaigns against Ukrainian government entities, delivering both credential-harvesting tools and malware. Likely aimed at gathering intelligence related to the ongoing Russian invasion, TA406 is a DPRK state-sponsored threat group, also known as Opal Sleet or Konni....

Earth Ammit, a threat actor linked to Chinese-speaking APT groups, conducted two coordinated cyberespionage campaigns—VENOM and TIDRONE—between 2023 and 2024, targeting organizations in Taiwan and South Korea....

A threat actor has been using phishing emails with malicious HTML attachments to distribute Horabot malware, primarily targeting Spanish-speaking users. The campaign impersonates invoices to steal email credentials and spread banking trojans across Latin America. Horabot uses Outlook COM automation to send phishing emails from compromised inboxes, aiding lateral movement....

On April 24, 2025, SAP disclosed CVE-2025-31324, a critical vulnerability (CVSS 10.0) in SAP NetWeaver’s Visual Composer Framework (version 7.50). This flaw allows unauthenticated attackers to upload arbitrary files via the /developmentserver/metadatauploader endpoint, potentially leading to remote code execution and full system compromise....

The DragonForce ransomware group has shifted its focus from politically motivated attacks to high-profile financial extortion campaigns, recently targeting UK retailers like Harrods, Marks and Spencer, and the Co-Op, causing significant disruptions to critical operations like payment systems and inventory management....

The IR team recently identified a new email campaign distributing a Remote Access Trojan (RAT) targeting organizations in Spain, Italy, and Portugal. The attackers use the serviciodecorreo email service, which is authorized for multiple domains and passes SPF checks....

A suspected Iranian cyber espionage operation was discovered impersonating a German modeling agency. The attackers created a fake website that replicated the real agency’s branding and used obfuscated JavaScript to secretly collect visitor data such as IP addresses, browser fingerprints, and screen resolutions....

The Agenda ransomware group, also known as Qilin, has continued to evolve since its emergence in 2022, shifting its ransomware development from Go to Rust and incorporating advanced evasion, propagation, and remote execution capabilities. In a recent campaign, the group deployed SmokeLoader alongside a newly discovered....

We have analyzed multiple recent incidents where threat actors exploited Microsoft Teams to target victims. Posing as the organization’s Help Desk, the attackers initiate contact via Teams messages. They then attempt to persuade users to execute a Trojanized version of the GlobalProtect installer....

Our team has observed a surge in large-scale phishing campaigns written in Japanese, primarily targeting organizations in Japan using a phishing kit known as CoGUI. These campaigns often impersonate well-known consumer and payment brands like Amazon, PayPay, and Rakuten. CoGUI is a stealthy phishing framework designed to evade detection, with Japan being its main focus....

A newly uncovered targeted campaign has revealed the resurgence of the Lampion malware, focusing on Portuguese organizations in the government, finance, and transportation sectors. Active since 2019, Lampion now incorporates ClickFix lures—a social engineering tactic that tricks users into executing malicious commands disguised as system fixes....

Outlaw, also known as "Dota," is a Perl-based crypto-mining botnet targeting Linux systems by exploiting weak or default SSH credentials. While previously observed in honeypots, a recent real-world incident in Brazil highlights its continued effectiveness....