Threat Research

Researchers uncovered multiple cyber-espionage campaigns targeting a Southeast Asian government organization. The investigation traced Stately Taurus activity (June–Aug 2025), involving USB-spread USBFect (HIUPAN) malware deploying a PUBLOAD backdoor....

A stealthy malware campaign is abusing digitally signed remote monitoring and management (RMM) tools to gain persistent access and evade detection. The attack leverages legitimate file-hosting updater mechanisms to execute cloud-syncing processes, enabling disguised traffic and potential data exfiltration....

A targeted campaign is using phishing emails with fake resume (CV) attachments to infect French-speaking corporate environments with heavily obfuscated VBScript malware....

Threat actors distributed fake OpenClaw installers through malicious GitHub repositories to infect users with information stealers and the GhostSocks proxy malware. The campaign used a custom Stealth Packer to evade detection and targeted users searching for OpenClaw installers on Windows and macOS....

Unmasking Agent Tesla: A Deep Dive into a Multi-Stage Campaign examines how Agent Tesla continues to pose a significant threat by enabling even low-skilled actors to steal sensitive information through a refined and layered infection process....

Malicious OpenClaw Skills Used to Distribute Atomic macOS Stealer describes a campaign in which threat actors shifted Atomic (AMOS) Stealer from cracked software distribution to a supply chain-style attack targeting AI agentic workflows on platforms like OpenClaw....

Evelyn Stealer is a multistage information-stealing campaign that abuses the Visual Studio Code extension ecosystem to compromise software developers....

GoBruteforcer is a Linux-based botnet that converts compromised servers into distributed scanners and password brute-force nodes targeting internet-exposed services such as phpMyAdmin, MySQL, PostgreSQL, and FTP....

Arkanix Stealer is an actively developed credential-stealing malware promoted mainly on Discord, where its operators advertise frequent updates and new features. Originally written in Python, the malware has evolved to include a C++ “Premium” version with expanded theft capabilities such as VPN and Steam accounts, screenshots, and Wi-Fi credentials....

This article presents a technical analysis of the VVS stealer (also known as VVS $tealer), focusing on its obfuscation and evasion techniques. Written in Python, the malware targets Discord users by exfiltrating credentials and authentication tokens. VVS stealer was actively developed and advertised for sale on Telegram as early as April 2025....