Threat Research

In early February 2025, a phishing campaign targeting Ukrainian entities used invoice and billing-themed emails containing compressed archives with obfuscated JavaScript files. These files deployed PowerShell downloaders to install SmokeLoader, leveraging the Emmenthal loader....

Detects the execution of a renamed binary commonly used by attackers or malware, using the new Sysmon OriginalFileName data point for identification....

We recently investigated a cluster of VPSs used for Monero mining, linked to updated samples from past H2miner campaigns. H2miner, active since late 2019, is a crypto-mining botnet, while Lcryx (aka Lcrypt0rx) is a VBScript-based ransomware first seen in November 2024....

Between March and June 2025, multiple China-aligned threat actors intensified cyber espionage efforts against Taiwan’s semiconductor industry. Groups such as UNK_FistBump, UNK_DropPitch, and UNK_SparkyCarp launched phishing campaigns delivering tools like Cobalt Strike, the Voldemort backdoor, and AiTM phishing kits....

A new wave of SquidLoader malware is actively targeting financial institutions in Hong Kong. This advanced malware demonstrates strong evasion techniques, showing near-zero detection of VirusTotal during analysis. SquidLoader’s attack chain leads to the deployment of a Cobalt Strike Beacon, enabling remote access and control....

This report examines a recent ransomware attack by the BlackSuit group, a successor to the Royal ransomware family. Known for its hybrid tactics, BlackSuit combines data exfiltration with encryption, using advanced tools like PsExec, Cobalt Strike, RDP, and rclone to execute commands, move laterally, and extract data....

Detects the use of Sysinternals ADExplorer with the "-snapshot" flag to create a local copy of the Active Directory database. Attackers may leverage this snapshot to extract data for tools like BloodHound, gather usernames for password spraying, or exploit metadata for social engineering....

This report analyzes a complex phishing campaign that uses multi-stage, modular techniques to deliver high-risk malware, specifically the credential-stealer Agent Tesla. Compressed email attachments contain layered droppers that deploy the malware by injecting it into trusted system processes, evading detection....

In the wake of heightened Israel-Iran-USA tensions, Iranian-backed ransomware group Pay2Key has re-emerged as Pay2Key.I2P. Now operating as a ransomware-as-a-service (RaaS) platform, it's linked to the Fox Kitten APT group and shares capabilities with Mimic ransomware’s ELENOR-Corp variant....

We’ve discovered a new, resilient variant of the Interlock ransomware group’s remote access trojan (RAT), now rewritten in PHP rather than JavaScript (previously known as NodeSnake). This version has been actively used in a widespread campaign linked to the LandUpdate808 (aka KongTuke) threat clusters since May 2025....

Hpingbot is a newly discovered, cross-platform botnet family written in Go, actively spreading since June 2025. Designed for Windows, Linux, and IoT devices, it supports multiple architectures including amd64, ARM, MIPS, and 80386. Unlike variants based on Mirai or Gafgyt, Hpingbot is built from scratch, showing advanced innovation and efficiency....

This article provides hunting tips and mitigation strategies for ClickFix campaigns, along with insights into major 2025 incidents. Notable cases include NetSupport RAT with a new loader, Latrodectus malware using ClickFix lures, and widespread Lumma Stealer activity....

A recent malware campaign hosted on GitHub abuses popular lures like “Free VPN for PC” and “Minecraft Skin Changer” to trick users into executing a malicious dropper named Launch.exe. The campaign uses techniques such as process injection, DLL side-loading, and stealthy execution to deploy Lumma Stealer, an information-stealing malware....

In May 2025, threat actors were found hosting malicious WordPress sites to distribute tampered versions of the legitimate NetSupport Manager Remote Access Tool (RAT). This report examines the techniques and tools used to deploy the NetSupport RAT, with a focus on malicious JavaScript....

Detects unusual process activity where Sysmon is observed as the parent process—behavior that may indicate exploitation attempts, such as those associated with CVE-2022-41120....