Threat Research

Device code phishing has rapidly evolved into a major identity-focused attack technique, driven by publicly available phishing toolkits, phishing-as-a-service (PhaaS) offerings, and AI-assisted “vibe coded” tools....

The Guardrails-AI incident highlights the growing sophistication of software supply chain attacks targeting AI and developer ecosystems. Even trusted and widely adopted packages can become delivery mechanisms for malicious payloads when repository infrastructure, CI/CD workflows, or deployment credentials are compromised....

A Russian-speaking threat actor known as “bandcampro” operated a MAGA-themed Telegram channel (@americanpatriotus, ~17,000 subscribers) for five years before shifting to AI-driven fraud and credential theft in September 2025....

The EtherRAT malware family was first identified by Sysdig in December 2025, initially exploiting CVE-2025-55182 (React2Shell) on Linux servers. In March 2026, Atos reported a Windows-based EtherRAT campaign with activity traced back to December 2025....

We investigated reports of a fake Claude AI website spreading malware. At first, the attack appeared similar to known PlugX campaigns due to shared techniques. Closer analysis revealed a first-stage DonutLoader payload and a previously undocumented backdoor....

In March 2026, ThreatLabz uncovered an attack chain targeting AI agentic workflows through a malicious OpenClaw framework skill. The attackers used manipulated installation instructions to trick autonomous AI agents into downloading and executing a remote MSI package....

The InstallFix campaign is a social engineering attack targeting users searching for Anthropic’s Claude AI through fake installation pages promoted via Google Ads. It uses convincing, OS-specific instructions to trick users into executing malicious PowerShell commands....

The increasing reliance on AI has led to a surge in AI-driven tools. However, these platforms can also be exploited for malicious purposes, as demonstrated in the case of Kuse.ai. While Kuse is generally regarded as a reliable workplace solution, threat actors continuously develop new social engineering tactics....

Kali365 is a newly emerged phishing-as-a-service (PhaaS) kit that abuses OAuth device code registration flows to conduct large-scale credential phishing campaigns. Distributed through Telegram, the platform offers advanced capabilities including mailbox scanning, phishing page generation, and AI-powered chatbot assistance for creating convincing lures....

Threat actors are abusing AI workflow automation platforms like n8n to conduct sophisticated phishing campaigns by sending automated emails that deliver malware and fingerprint victim devices. By leveraging trusted services and integrations with tools like Slack, Gmail, and AI models, attackers can bypass traditional security controls and scale their operations....