Threat Research

Our researchers recently identified AI-themed websites being used to distribute malware. Threat actors are leveraging the popularity of tools like ChatGPT and Luma AI to lure users. These malicious sites, often built on WordPress, are optimized to rank in search engines and attract traffic....

Identifies potentially suspicious subprocesses, such as LOLBINs, that are launched by web browsers. This behavior may indicate the use of the "FileFix" social engineering technique, in which victims are deceived into opening File Explorer through a browser-based phishing page and unknowingly pasting malicious commands into the address bar....

A variant of the Android-based Remote Access Trojan (RAT) known as SpyMax is currently being distributed through social engineering campaigns. Cybercriminals are targeting mobile users by spreading fake apps—such as counterfeit versions of Telegram or wedding invitation apps—via messaging platforms like WhatsApp....

Remcos RAT, a sophisticated Remote Access Trojan originally marketed as a legitimate tool, is now widely abused for espionage, credential theft, and system control. Created by Breaking Security, it has been adopted by APT groups and cybercriminals for malicious purposes. Recent campaigns used stealthy, fileless PowerShell loaders to deploy Remcos entirely in memory....

PowerShell MSI Install via WindowsInstaller COM From Remote Location refers to the use of PowerShell to install MSI files through the WindowsInstaller.Installer COM object, especially when the files are hosted remotely....

The campaign targets the energy, oil, and gas sectors using phishing and Microsoft ClickOnce exploitation. It shows traits linked to Chinese threat actors, though attribution remains tentative. Using “living off the land” tactics, it hides malicious activity within legitimate cloud and enterprise tools....

APT36, or Transparent Tribe, is a Pakistan-based threat group targeting Indian defense personnel via advanced phishing campaigns. They send emails with malicious PDFs mimicking government documents, leading to fake National Informatics Centre (NIC) login pages. Clicking the fake login triggers a download of a ZIP file containing disguised malware....

Since at least July 2023, a threat group tracked as CL-CRI-1014 has been targeting financial institutions across Africa. These attackers use open-source tools like PoshC2, Chisel, and Classroom Spy to establish remote access and create communication tunnels. They forge file signatures by mimicking legitimate software to evade detection....

Detects the execution of a child process through "conhost.exe" using the "--headless" flag. The "--headless" flag suppresses the display of any windows, keeping the process hidden from the user....

Cybercriminals are leveraging social media platforms to distribute malware by disguising it as cracked versions of popular software. Victims are lured to download ZIP files containing password-protected 7-Zip archives, with the passwords often displayed in the file names or download pages. These campaigns frequently use non-ASCII characters in file names to evade detection....

Meterpreter is a trojan-type malware that allows attackers to remotely control infected systems by injecting itself into existing processes. It can send/receive files, execute commands, capture screenshots, and log keystrokes. Commonly spread via infected email attachments, malicious ads, and social engineering, it often leads to further malware infections like ransomware....

Our researchers have observed a new wave of Prometei botnet activity. Prometei refers to both the malware family and the botnet infrastructure used to remotely control compromised Linux and Windows systems for Monero mining and credential theft....

Water Curse, a newly identified threat actor, is exploiting weaponized GitHub repositories to deliver multistage malware disguised as legitimate open-source tools....

Our team has identified a newly rebranded information stealer named Amatera Stealer, derived from ACR Stealer and delivered through complex web inject-based attack chains. Much of its code overlaps with known ACR Stealer samples, and it is currently offered as a malware-as-a-service (MaaS) and remains under active development....

Cybercriminals have crafted a new attack method that leverages misconfigured Docker remote APIs and the Tor network to conduct covert cryptocurrency mining. Once inside containerized environments, attackers use Tor to conceal their operations while deploying crypto miners....