Threat Research

The threat actor gained initial access via a fake Zoom installer, deploying d3f@ckloader and IDAT loader to drop SectopRAT. After nine days, SectopRAT delivered Cobalt Strike and Brute Ratel, enabling lateral movement through remote services and RDP. To facilitate RDP movement, the attacker used QDoor, a malware with proxy capabilities....

HijackLoader, a malware loader first discovered in 2023, has been updated with new modules that enhance its evasion tactics. These include call stack spoofing to hide function call origins, anti-VM checks to detect analysis environments, and a module for establishing persistence through scheduled tasks....

Water Gamayun exploits the MSC EvilTwin zero-day (CVE-2025-26633) to compromise systems and steal data using custom payloads and exfiltration techniques. The attack deploys malicious provisioning packages, signed .msi files, and Windows MSC files, leveraging tools like IntelliJ runnerw.exe for execution....

A campaign targeting users in Ukraine is using malicious LNK files, which run a PowerShell downloader. These files are named with Russian words related to troop movements in Ukraine to lure victims. The downloader connects to geo-fenced servers in Russia and Germany to retrieve a second-stage Zip file containing the Remcos backdoor....

In 2021, researchers reported that PJobRAT, an Android RAT first seen in 2019, targeted Indian military personnel by mimicking dating and messaging apps. Since then, little has been reported—until a recent threat hunt uncovered a now-concluded campaign targeting users in Taiwan....

The blog highlights how malware creators exploit popular trends, such as "AI" and "DeepSeek," to deceive unsuspecting users into downloading malicious software. By manipulating search engine optimization (SEO) and using trending keywords, cybercriminals boost the visibility of malicious sites....

"CoffeeLoader: A Brew of Stealthy Techniques" is a sophisticated malware loader designed to deploy secondary payloads while evading detection by endpoint security software. It employs advanced techniques such as call stack spoofing, sleep obfuscation, and Windows fibers to avoid analysis....

DragonForce ransomware is a malicious program that encrypts files on compromised systems and demands a cryptocurrency ransom, typically in Bitcoin, for decryption. It spreads through phishing emails, malicious websites, and system vulnerabilities. While it shares similarities with other ransomware variants, DragonForce exhibits distinct features and behaviors....

"New Android Malware Campaigns Evading Detection Using Cross-Platform Framework .NET MAUI" discusses how cybercriminals are exploiting the .NET MAUI framework to create malware that bypasses security measures. These threats disguise themselves as legitimate apps to steal sensitive information....

Trend Research uncovered a campaign by the Russian threat actor Water Gamayun exploiting a zero-day in the Microsoft Management Console (CVE-2025-26633). The attack manipulates .msc files and MUIPath to execute malicious code, maintain persistence, and steal data. This threat poses significant risks to enterprises, potentially leading to data breaches and financial losses....

"Cyber Threat Hunting in Healthcare, File Infectors, Botnets" expands on the initial investigation into Silver Fox, a Chinese threat actor abusing Philips DICOM viewers to deploy a backdoor trojan....

Recent threat data reveals key insights into phishing campaigns and evolving cybercriminal tactics. Facebook remains a top phishing target due to its widespread use and valuable user data, with scams often disguised as account warnings....

Cybercriminals in the UAE are impersonating Dubai Police to defraud consumers, using social engineering tactics such as smishing, phishing, and vishing. Victims are tricked into paying non-existent fines, including traffic tickets and license renewals, via fraudulent phone calls....

The financially motivated Albabat ransomware group has resurfaced with new versions. Our threat-hunting team recently identified versions 2.0.0 and 2.5, which target Windows while also collecting system and hardware data from Linux and macOS....

We've identified an ongoing campaign leveraging strategically aged domains in Traffic Direction System (TDS) activity. The final landing pages promote investment scams and fraudulent part-time or work-from-home opportunities. To evade detection, attackers register new domains and keep them dormant for at least a month before activation....