Threat Research

CRESCENTHARVEST is a targeted cyberespionage campaign using protest-themed lures to infect Farsi-speaking individuals with malicious .LNK files disguised as media content. The malware, deployed via DLL sideloading with a signed Google executable, acts as a remote access trojan and information stealer capable of keylogging, command execution, and data exfiltration....

New Dohdoor Malware Campaign Targets Education and Health Care outlines a phishing-driven, multi-stage attack primarily impacting U.S. education and healthcare organizations....

Labs have uncovered targeted phishing campaigns in Taiwan that exploit local business workflows. The attacks deliver Winos 4.0 (ValleyRat) and additional malicious plugins through weaponized attachments and embedded links. Lures impersonate official communications, including tax audit notices, tax software installers, and cloud e-invoice downloads....

Evelyn Stealer is a multistage information-stealing campaign that abuses the Visual Studio Code extension ecosystem to compromise software developers....

A sophisticated phishing campaign targeting Indian entities has been attributed to the Chinese Silver Fox APT. The attackers used highly convincing Income Tax–themed lures to deliver malware through a complex kill chain involving DLL hijacking and the modular Valley RAT, enabling long-term persistence....

The Evasive Panda APT group conducted highly targeted campaigns between November 2022 and November 2024, abusing poisoned DNS responses to deliver its MgBot malware. The attackers leveraged adversary-in-the-middle (AitM) techniques to fetch encrypted malware components from attacker-controlled servers based on victim-specific DNS requests....

Since early 2025, China’s presence in the Indo-Pacific has become increasingly assertive. Activities have ranged from heightened maritime tensions to acting as a peacebroker for Myanmar’s junta. More recently, espionage efforts have targeted joint Philippine naval exercises with the US, Australia, Canada, and New Zealand....

RoningLoader is a new, advanced loader used in a recent DragonBreath (APT-Q-27) campaign that distributes a modified gh0st RAT through trojanized NSIS installers posing as legitimate apps like Chrome and Microsoft Teams....

CHAMELEON_NET is a targeted malspam campaign delivering the DarkTortilla .NET loader to distribute FormBook. Infection starts with a phishing email and a .bz2 archive that drops an obfuscated JavaScript file. The JS launches a VB.NET loader that decrypts an embedded DLL via an index-based XOR and reflectively loads it in memory....

North Korea-linked Lazarus Group has launched a new wave of Operation DreamJob, targeting European defense companies involved in unmanned aerial vehicle (UAV) development. The campaign uses trojanized open-source GitHub projects and the ScoringMathTea malware to steal proprietary data and manufacturing know-how....