Threat Research

Researchers uncovered and analyzed the full source code of an AI-driven AiTM phishing platform called “UPMI ULTIMATE,” linked to a group named “Team Unlimited.” The code was retrieved from an exposed central server that manages licensing, intelligence sharing, and remote control for all client instances....

EvilTokens is a newly identified phishing-as-a-service (PhaaS) kit that enables large-scale Microsoft device code phishing attacks, leveraging social engineering techniques and rapidly adopted by cybercriminals for Adversary-in-the-Middle (AitM) and Business Email Compromise (BEC) operations....

An active phishing campaign is impersonating a cloud file storage service and major e-signature platforms. Instead of stealing passwords, it exploits Microsoft’s legitimate Device Code OAuth flow. Victims are tricked into entering a verification code on Microsoft’s real login page. The attacker intercepts OAuth tokens, gaining persistent access to accounts and data....

A targeted campaign is using phishing emails with fake resume (CV) attachments to infect French-speaking corporate environments with heavily obfuscated VBScript malware....

Since late December 2025, the team has handled multiple incidents involving voice-based phishing (vishing) leading to data theft and extortion. These attacks have targeted organizations across Financial Services, Manufacturing, Professional & Legal Services, and Wholesale & Retail sectors....

A recent campaign involving Remcos RAT demonstrates the shift toward fileless malware techniques, using phishing emails with procurement-themed lures to initiate infection. The attack chain delivers a JavaScript downloader that retrieves an AES-obfuscated PowerShell payload, which then loads a .NET injector to perform process hollowing on a legitimate Windows process....

On 28 February 2026, the US and Israel launched strikes inside Iran in a campaign named Operation Epic Fury, targeting missiles, air defenses, military infrastructure, and leadership assets. Iran retaliated with missile and drone attacks against US embassies and military bases across the region....

Cybercriminals are exploiting the heightened political tensions in the Middle East to launch opportunistic cyber campaigns using conflict-themed lures. Thousands of newly registered domains related to the conflict have been identified, many of which may be used for future malicious activity such as phishing, scams, and malware distribution....

On Feb. 28, 2026, joint US–Israel strikes reduced Iran’s internet connectivity to 1–4%, disrupting leadership communications and degrading command-and-control across state networks. Security teams identified an SMS/phishing campaign distributing a trojanized Israeli Home Front Command RedAlert APK for surveillance and data exfiltration....

New Dohdoor Malware Campaign Targets Education and Health Care outlines a phishing-driven, multi-stage attack primarily impacting U.S. education and healthcare organizations....