Threat Research

First VPN Service was a criminally oriented VPN infrastructure that operated for over a decade and was widely used by ransomware groups and other cybercriminals to conduct network reconnaissance, intrusions, scanning, botnet activity, denial-of-service attacks, and scams....

In late April 2026, we were retained for incident response after a client detected unauthorized cryptocurrency miners on user workstations. Our investigation revealed the malware was delivered through illicit movie and TV streaming platforms using a deceptive video player plugin update....

A malware campaign is targeting users searching for open-source C++ IDE software by redirecting them from legitimate websites to fake MEGA Transfer pages that deliver RemusStealer....

Security researchers have discovered OverlayPhantom, a new Android banking trojan spreading through malicious URLs. The malware utilizes a two-stage infection process, relying on dropper apps that impersonate trusted platforms like TikTok and the Austrian government’s "ID Austria" app to trick users....

We recently uncovered a phishing campaign delivering a variant of PureLogs, an infostealer designed to harvest sensitive data from compromised devices. This report breaks down the campaign's mechanics, analyzing the deceptive "purchase order" emails used to trick victims and the inner workings of the initial JavaScript payload....

Device code phishing has rapidly evolved into a major identity-focused attack technique, driven by publicly available phishing toolkits, phishing-as-a-service (PhaaS) offerings, and AI-assisted “vibe coded” tools....

Pervasive SSH tunnel activity from 2025 persisted into 2026, targeting Russian and Belarusian entities.The cyberespionage group Cloud Atlas, active since 2014, is behind some of these attacks.Recent investigations revealed new tools and indicators of compromise linked to the group.They have resumed using malicious shortcut archives to launch PowerShell scripts....

An Iran-linked APT group known as Screening Serpens conducted targeted cyberespionage campaigns against organizations in the U.S., Israel, the UAE, and other Middle Eastern regions during early 2026....

Void Dokkaebi (also known as Famous Chollima) has evolved its InvisibleFerret malware by shifting from readable Python scripts to Cython-compiled binaries, improving evasion and making detection more difficult....

The Guardrails-AI incident highlights the growing sophistication of software supply chain attacks targeting AI and developer ecosystems. Even trusted and widely adopted packages can become delivery mechanisms for malicious payloads when repository infrastructure, CI/CD workflows, or deployment credentials are compromised....

Users searching for legitimate C++ software land on a compromised site that executes malicious JavaScript. The script conducts heavy profiling via browser fingerprinting, mouse telemetry, and click interception. Profiled victims are redirected through intermediary domains to a dynamic, fake "MEGA Transfer" page....

Webworm, a China-aligned APT group, has evolved its operations by shifting from traditional malware families toward stealthier custom tools and proxy-based techniques. In 2025, the group introduced new backdoors such as EchoCreep and GraphWorm, which abuse trusted platforms like Discord and Microsoft Graph API for command-and-control communication....

A Russian-speaking threat actor known as “bandcampro” operated a MAGA-themed Telegram channel (@americanpatriotus, ~17,000 subscribers) for five years before shifting to AI-driven fraud and credential theft in September 2025....

A large-scale CountLoader campaign was observed using heavily obfuscated, multi-stage infection chains involving PowerShell, JavaScript executed through mshta.exe, and in-memory shellcode injection to evade detection and maintain persistence....

This campaign demonstrates how ClickFix-style social engineering continues to evolve through abuse of legitimate Windows tooling and user-assisted execution workflows....