Threat Research

The threat actor gains initial access through vishing attacks, impersonating internal IT staff to trick victims into entering their credentials and MFA codes on phishing pages. Once access is obtained, the actor quickly identifies and exfiltrates sensitive data from cloud services such as SharePoint and OneDrive, a tactic commonly observed among Com-affiliated groups....

Argamal is a newly identified malware family distributed through infected hentai games hosted on file-sharing platforms. Once a victim launches the game, a malicious implant is installed and later downloads additional Trojan payloads, enabling full system compromise and remote control by attackers....

In March, Labs identified a new Gafgyt botnet variant called C0XMO that spreads by exploiting CVE-2021-27137. Unlike earlier variants, C0XMO uses a separate Python script for lateral movement, improving propagation across different devices and architectures....

This research analyzes a ClickFix campaign leveraging the spoofed licensing-themed website canndelta.com to deliver the PureLogs stealer through malicious PowerShell commands. The attack uses Donut shellcode, fileless execution, RWX memory allocation, and in-memory .NET assembly loading to evade detection....

Hackers are increasingly abusing trusted platforms like YouTube and search engines to distribute malware. A newly uncovered campaign called "WeedHack" specifically targets Minecraft's massive player base. Minecraft's open ecosystem of mods and custom clients makes it a prime target for cybercriminals....

Operation FlutterBridge is a large-scale malvertising campaign targeting macOS users through malicious Google advertisements that distribute FlutterShell, a Flutter-based malware with both adware and backdoor capabilities....

A recent threat assessment has identified a highly advanced banking Trojan delivered through a malicious browser extension, specifically targeting Australian banking customers. Unlike conventional malware that disrupts systems or causes noticeable damage, this threat is designed to remain undetected....

Gamaredon, a Russian APT (Advanced Persistent Threat) group operated by the FSB, continues to conduct long-term cyberespionage campaigns targeting Ukrainian government, military, and critical infrastructure organizations....

TUXBOT v3 Evolution, also known as Akiru, is a previously undocumented modular IoT botnet framework designed for large-scale device compromise and DDoS-for-hire operations. The framework targets multiple IoT device families through vulnerability exploitation and extensive Telnet brute-forcing, supporting numerous hardware architectures and encrypted C2 communications....

In late April 2026, we were retained for incident response after a client detected unauthorized cryptocurrency miners on user workstations. Our investigation revealed the malware was delivered through illicit movie and TV streaming platforms using a deceptive video player plugin update....

First VPN Service was a criminally oriented VPN infrastructure that operated for over a decade and was widely used by ransomware groups and other cybercriminals to conduct network reconnaissance, intrusions, scanning, botnet activity, denial-of-service attacks, and scams....

In late April 2026, we were retained for incident response after a client detected unauthorized cryptocurrency miners on user workstations. Our investigation revealed the malware was delivered through illicit movie and TV streaming platforms using a deceptive video player plugin update....

A malware campaign is targeting users searching for open-source C++ IDE software by redirecting them from legitimate websites to fake MEGA Transfer pages that deliver RemusStealer....

Security researchers have discovered OverlayPhantom, a new Android banking trojan spreading through malicious URLs. The malware utilizes a two-stage infection process, relying on dropper apps that impersonate trusted platforms like TikTok and the Austrian government’s "ID Austria" app to trick users....

We recently uncovered a phishing campaign delivering a variant of PureLogs, an infostealer designed to harvest sensitive data from compromised devices. This report breaks down the campaign's mechanics, analyzing the deceptive "purchase order" emails used to trick victims and the inner workings of the initial JavaScript payload....