Threat Research

Our team discovered an Android malware, “SikkahBot,” active since July 2024, targeting students in Bangladesh. Disguised as apps from the Bangladesh Education Board, it lures users with fake scholarships to steal sensitive data....

We identified an email campaign promoting fake luxury shopping sites via enticing subject lines and links. The sites mimic legitimate stores, redirect to PayPal for payment, and show deep discounts on luxury items. Domains are tied to malicious IPs, mostly in Vietnam (AS 149137, AS 149123, AS 149125), and hosted via US-based cloud providers....

The TAOTH campaign exploited an abandoned Sogou Zhuyin IME update server and spear-phishing to deliver malware like TOSHIS, C6DOOR, DESFY, and GTELAM. Targeting users across Eastern Asia—especially Traditional Chinese speakers—it focused on high-value individuals such as dissidents, journalists, and tech leaders....

Chinese state-sponsored APT (Advanced Persistent Threat) actors are conducting global cyber espionage operations targeting key infrastructure sectors such as telecommunications, government, transportation, and military networks....

A recent phishing campaign is targeting companies through emails containing malicious URLs that lead to spoofed websites tailored to the recipient’s email domain. These convincing sites trick users into downloading JavaScript files that act as droppers for UpCrypter malware....

QuirkyLoader is a newly observed malware loader, active since November 2024, used to deliver various infostealers and remote access trojans (RATs) like Agent Tesla, AsyncRAT, FormBook, Remcos, and others. The infection begins with phishing emails containing malicious archives. These archives include a legitimate executable, an encrypted payload, and a malicious DLL....

In March 2025, Intelligence Group uncovered a PRC-linked UNC6384 campaign targeting diplomats in Southeast Asia, aligning with China's cyber espionage goals. The threat actor hijacked captive portals to deliver a signed downloader, STATICPLUGIN, which deployed the PlugX backdoor in memory....

The Resurgence of IoT Malware: Inside the Mirai-Based 'Gayfemboy' Botnet Campaign explores a stealthy and evolving malware strain named "Gayfemboy," initially discovered by a Chinese cybersecurity firm. Over the past year, the malware resurfaced with renewed activity in July, targeting vulnerabilities in IoT devices from vendors like DrayTek, TP-Link, Raisecom, and Cisco....

Threat actors are increasingly leveraging an AI-powered website generation platform to create fraudulent websites used for credential phishing and malware distribution. These actors are building or duplicating sites that mimic well-known brands, incorporating CAPTCHA challenges to evade detection, and exfiltrating stolen credentials via Telegram....

Linux is trusted for its security, stability, and control, often seen as safer than Windows. But this trust can create blind spots, as attackers innovate beyond software exploits. New threats use behaviors, scripts, and even filenames to breach systems stealthily. We’ll explore a real Linux malware case where a filename alone triggers infection....

This report details a stealthy campaign exploiting CVE-2024-36401, a critical RCE vulnerability (CVSS 9.8) in GeoServer, to gain access to victims' machines and monetize their internet bandwidth. Attackers deploy legitimate or modified SDKs to turn compromised systems into residential proxies, mimicking legal monetization practices used by app developers....

The report analyzes CORNFLAKE.V3, a backdoor malware with variants written in JavaScript and PHP, designed to retrieve and execute various payloads via HTTP, including shell commands, executables, and DLLs. It features host persistence through Windows registry Run keys and abuses Cloudflare Tunnels to proxy traffic to remote servers. CORNFLAKE....

A widespread cybercrime campaign is distributing the Efimer Trojan, a stealthy malware designed to steal cryptocurrency through phishing emails, compromised WordPress websites, and fake torrent downloads. The phishing emails, posing as legal threats from prominent law firms, accuse recipients of domain trademark violations to trick them into opening infected attachments....

A newly identified threat actor group, Curly COMrades, is targeting critical organizations in geopolitically sensitive regions, including government bodies in Georgia and an energy company in Moldova. Believed to support Russian interests, the group aims to maintain long-term access, steal credentials, and exfiltrate data....

A Russian state-sponsored cyber campaign has been targeting Western logistics and technology companies, particularly those supporting the coordination, transportation, and delivery of foreign aid to Ukraine....