Threat Research

UAT-8837 is a China-nexus threat actor assessed with medium confidence to specialize in gaining initial access to high-value organizations, with a clear focus on critical infrastructure targets in North America since at least 2025....

CastleLoader is a stealthy first-stage malware used in attacks against government organizations and various industries. It employs a multi-stage execution chain—Inno Setup, AutoIt, and process hollowing—to bypass security defenses. The final payload is deployed only in memory after process manipulation, evading traditional static detection....

Labs identified a new phishing campaign active in the wild. The attack delivers a new variant of Remcos, a lightweight commercial RAT with extensive capabilities. These include system resource control, remote surveillance, network operations, and agent management. I performed an in-depth analysis of the campaign’s full infection chain....

The Muddy Water APT has launched a spearphishing campaign targeting diplomatic, maritime, financial, and telecom sectors across the Middle East, delivering malicious Word documents with icon spoofing....

In November 2025, three malicious npm packages—bitcoin-main-lib, bitcoin-lib-js, and bip40—were identified. These packages were engineered to deploy a previously unknown remote access trojan (RAT) malware family. The malware, dubbed NodeCordRAT, propagates through npm and leverages Discord servers for command-and-control (C2) communications....

As one of the world’s largest social media platforms, Facebook has over 3 billion active users. This massive user base makes it a prime target for phishing attacks. Attackers seek to hijack accounts to exploit victims and their social networks. Their objective is to steal login credentials for fraud, data theft, or scam distribution....

A multi-stage campaign linked to AsyncRAT abuses trusted infrastructure to evade detection and ensure reliable payload delivery. Threat actors leverage Cloudflare free-tier services and TryCloudflare tunnels to host WebDAV servers, while phishing emails delivered via Dropbox use double-extension files to trick victims....

These scam messages falsely claim a charge for a product or subscription. They include a support number for recipients to call about the charge. Scammers wait for victims to call and attempt to cancel the fake billing. The operators then request credit card or other sensitive information. Recently, these scams have increasingly used calendar invites....

UAT-7290 is a sophisticated threat actor active since at least 2022, focused on gaining initial access and conducting espionage against high-value telecommunications and critical infrastructure targets in South Asia....

Medusa has emerged as one of the most active ransomware-as-a-service groups, ranking among the top 10 threats in 2025 and impacting over 500 organizations by January 2026....

GoBruteforcer is a Linux-based botnet that converts compromised servers into distributed scanners and password brute-force nodes targeting internet-exposed services such as phpMyAdmin, MySQL, PostgreSQL, and FTP....

CrazyHunter ransomware has rapidly emerged as a serious and evolving threat, underscoring the growing sophistication of modern cybercriminal operations. We have been actively monitoring this ransomware since its first appearance and have observed its swift development and increasing adoption....

PHALT#BLYX is a multi-stage malware campaign targeting the hospitality sector that relies on click-fix social engineering, fake CAPTCHAs, and fake BSOD pages delivered via Booking.com–themed phishing lures....

Arkanix Stealer is an actively developed credential-stealing malware promoted mainly on Discord, where its operators advertise frequent updates and new features. Originally written in Python, the malware has evolved to include a C++ “Premium” version with expanded theft capabilities such as VPN and Steam accounts, screenshots, and Wi-Fi credentials....

Tangerine Turkey utilizes VBScript-based worms that propagate laterally through removable media such as USB drives. The group relies on living-off-the-land binaries (LOLBins), including wscript.exe and printui.exe, to execute payloads and maintain persistence. To evade detection, they alter registry settings and disguise malicious executables as legitimate system files....