Threat Research

A North Korea-aligned group, Famous Chollima, is using fake job offers to lure victims into installing malware. In a recent case, a trojanized Node.js app called Chessfi was distributed via the NPM package node-nvm-ssh. The group’s tools, BeaverTail and OtterCookie, have evolved by merging functionalities and adding a new JavaScript module for keylogging and taking screenshots....

Sophisticated Android campaign that uses adult-content lures to distribute malicious APKs. Multi-stage architecture with obfuscated front-end lure sites and a separate backend; front pages use commercial JS obfuscation (jsjiami[.]com) and Triple DES to conceal backend URLs and config....

Attackers leveraged a Cisco SNMP vulnerability (CVE-2025-20352) to install Linux rootkits on outdated and unsecured systems. This allowed them to achieve remote code execution (RCE) and maintain persistent, unauthorized access by setting universal passwords and embedding hooks into the IOSd memory space....

PhantomVAI Loader is a stealthy, multi-stage loader propagated via phishing that uses obfuscated scripts and steganography to hide payloads. Originally called Katz Stealer Loader for delivering Katz Stealer, it has evolved to deliver multiple infostealers (including Katz, AsyncRAT, XWorm, FormBook and DCRat) and is offered as malware-as-a-service....

The team has detected a surge in Android malware posing as Indian RTO apps, targeting Indian users to steal sensitive data. The malware spreads via WhatsApp and SMS with shortened links redirecting to malicious APKs hosted on GitHub or compromised sites. Once installed, it uses phishing pages to steal banking credentials, UPI PINs, and intercepts SMS with financial data....

A recent intrusion beginning in August 2025 revealed China-nexus threat actors using a technique called log poisoning to deploy a China Chopper web shell on vulnerable web servers. The attackers used AntSword for control and introduced a lesser-known tool, Nezha, to run commands and later deploy Ghost RAT. This marks the first known use of Nezha in web compromises....

Two new Android spyware campaigns, ProSpy and ToSpy, are targeting privacy-conscious users in the UAE by impersonating secure messaging apps like Signal and ToTok....

TA585 is a newly identified and sophisticated cybercriminal group operating its full attack chain—from infrastructure to malware delivery. It frequently uses MonsterV2 malware, which functions as a remote access trojan (RAT), loader, and stealer, and is sold on cybercriminal forums....

The team has identified a new Stealit malware campaign using Node.js' Single Executable Application (SEA) to deliver its payloads. The discovery followed a surge in detections of a Visual Basic script used for persistence. Earlier versions relied on Electron to package Node....

Astaroth is a stealthy banking trojan that has evolved to become more resilient by abusing GitHub. Instead of relying solely on traditional command-and-control (C2) servers, it uses GitHub repositories to host malware configurations, allowing it to stay active even when C2 infrastructure is taken down....

Beginning in late September 2025, a threat actor linked to the CL0P extortion group launched a large-scale campaign targeting organizations using Oracle E-Business Suite (EBS)....

A major botnet campaign, dubbed RondoDox, is actively exploiting over 50 known vulnerabilities in routers, DVRs, NVRs, CCTV systems, and web servers from more than 30 vendors. Organizations with internet-facing infrastructure face heightened risks of data theft, persistent access, and operational disruption....

We are tracking BRICKSTORM malware, used to maintain long-term access to U.S. organizations. Since March 2025, Team Consulting has responded to intrusions in sectors like legal, SaaS, BPOs, and tech. The targets likely support zero-day development and serve as pivot points to broader victims....

Attackers are leveraging a social engineering technique called ClickFix—which tricks users into manually executing malware—and are now packaging it into phishing kits for easy use. One such kit, the IUAM ClickFix Generator, automates the creation of deceptive phishing pages that mimic browser verification screens....

On September 18, 2025, a critical vulnerability (CVE-2025-10035, CVSS 10.0) was disclosed in GoAnywhere MFT's License Servlet, affecting versions up to 7.8.3. The flaw allows attackers to bypass signature verification and deserialize arbitrary objects, potentially leading to command injection and remote code execution....