Threat Research

In March 2025, activity from APT-C-36, also known as Blind Eagle, was detected following similar tactics used in previous campaigns. The group, believed to be a South American threat actor, initiates attacks with .url files that download an initial downloader from a WebDAV server....

Detects the creation of a Python path configuration file (.pth) in library directories, which can be exploited for code execution and persistence. These files reference modules that execute automatically at every Python startup (v3.5+), even if not explicitly imported....

A new ransomware operator, Mora_001, has been exploiting two Fortinet vulnerabilities, particularly targeting Fortigate firewall appliances, to deploy a ransomware strain named SuperBlack. Mora_001 is linked to the LockBit ransomware ecosystem and uses a combination of opportunistic attack methods....

Threat actors are increasingly using legitimate Remote Monitoring and Management (RMM) tools in email campaigns as an initial attack vector. While RMM software is essential for IT administrators, cybercriminals exploit it similarly to remote access trojans (RATs)....

We recently discovered several malware samples with unique traits that made attribution and analysis difficult. While many threat actors rely on publicly available tools, some develop custom malware with novel techniques....

The blog post discusses how threat actors use Virtual Hard Disk (VHD) image files to deliver and distribute VenomRAT malware. The campaign begins with a phishing email that lures victims with a purchase order attachment. When extracted, the email contains a VHD file that mounts itself as a virtual drive....

The Water Scylla intrusion set involves multiple stages, including compromised websites, collaboration with Keitaro TDS operators, SocGholish payload delivery, and post-compromise activity leading to RansomHub. As of early 2025, SocGholish detections are highest in the U.S., with government organizations heavily impacted....

In mid-2024, researchers discovered the China-nexus espionage group UNC3886 deploying custom TINYSHELL backdoors on Juniper Networks’ Junos OS routers, including end-of-life devices. These backdoors featured capabilities like disabling logging mechanisms and enabling passive and active access....

This joint Cybersecurity Advisory is part of the ongoing #StopRansomware initiative, providing network defenders with insights into ransomware variants and threat actors. These advisories share observed tactics, techniques, procedures (TTPs), and indicators of compromise (IOCs) to enhance protection....

Iranian hackers are suspected of using a compromised email account from the Indian company INDIC Electronics to launch a targeted phishing campaign against UAE’s aviation and satellite communications sectors. The attack involved obfuscated malicious files and scripts, ultimately delivering a DLL backdoor, Sosano....

Email continues to be a common method for malware distribution, with most malicious messages intercepted by spam traps and security filters. Threat actors constantly adapt their techniques to bypass these defenses, including altering file extensions for attached zip archives. In this case, the email contained a zip archive disguised with a 7-Zip file extension....

AI-assisted fake GitHub repositories are being used to distribute SmartLoader, which delivers Lumma Stealer and other malware. These repositories disguise malicious software as gaming cheats and cracked tools, evading detection through AI-generated content....

"Unmasking the new persistent attacks on Japan" reveals an ongoing cyber campaign targeting Japanese organizations across various sectors across various business verticals, including technology, telecommunications, entertainment, education, and e-commerce, based on our analysis of command and control (C2) server artefacts....

The DeepSeek AI chatbot, launched on January 20, 2025, quickly became a target for abuse. Threat actors use brand impersonation tactics to create fraudulent websites that trick users into revealing sensitive information or executing malware....

"Havoc: SharePoint With Microsoft Graph API Turns Into FUD C2" refers to the use of the Havoc command-and-control (C2) framework, which is open-source and available on GitHub, by threat actors to gain full control over a target....