Threat Research

    Our investigation began with a malicious Go module masquerading as a DNS/subdomain scanner. The module exposed a Windows malware chain using hidden PowerShell and dead-drop resolution. Pivoting revealed a larger GitHub lure network of 222 repositories across 190 accounts. We track this campaign as "Operation Muck and Load" based on its infrastructure and behavior....
    Threat actors compromised legitimate WordPress websites to inject ClickFix JavaScript that delivers malware to unsuspecting visitors. Rather than hardcoding command-and-control infrastructure, the script dynamically retrieves its configuration from a Polygon blockchain smart contract, allowing attackers to rotate infrastructure without modifying compromised sites....
    Researchers identified a malicious NuGet supply-chain campaign using Braintree.Net, a typosquat of the legitimate Braintree payment SDK. The package silently intercepts live payment-card data, steals Braintree merchant API credentials, and harvests environment, configuration, and cloud-related secrets while allowing normal payment operations to continue....
    A supply-chain attack compromised the Jscrambler npm package, introducing trojanized versions that executed a hidden cross-platform credential-stealing payload on Windows, Linux, and macOS. The malware targeted cloud credentials (AWS, Azure, GCP), developer secrets, CI/CD environments, cryptocurrency wallets, browser data, and AI/MCP configuration files....
    GigaWiper is a sophisticated Golang-based backdoor that combines advanced command-and-control capabilities with multiple destructive functions, including disk wiping, fake ransomware, and system sabotage. The malware integrates features from several destructive malware families, enabling threat actors to selectively deploy payloads through a single modular platform....
    Between 2024 and 2026, suspected China- and India-nexus threat actors targeted Pakistani law enforcement agencies. Attackers deployed malware like PlugX, ShadowPad, Cobalt Strike, and Remcos against Balochistan Police assets. Compromised systems included servers managing biometric data, national identity-linked registrations, and criminal records....
    GodDamn is the latest rebranded version of the Beast (formerly Monster) ransomware family, developed by the threat actor Hyadina. The attackers use AnyDesk for remote access, credential-stealing toolkits, and the Microsoft-signed PoisonX kernel driver to disable endpoint security through a BYOVD-style defense evasion technique before deploying the ransomware....
    Threat Research Team identified a targeted spear-phishing campaign using a fake aerospace-related business invoice delivered via a spoofed domain to deploy malware that silently configures AnyDesk for unattended remote access and persistence....
    Human-Driven Fraud: The Mexican banking operation REF6045 relies on active human operators to monitor infected devices. Malicious Entry Point: Victims are compromised via fake CAPTCHA pages that trick them into executing a harmful command. PowerShell Backbone: The initial command installs SCMBANKER, a PowerShell toolkit using components from late 2025....
    Threat actors are abusing fake Google and Cloudflare verification pages in evolving ClickFix campaigns to socially engineer users into executing malicious commands on their own systems. These campaigns distribute multiple malware families, including HijackLoader, StealC, Remus, Amatera Stealer, CastleLoader, NetSupport, and a Rust-based stealer....
    Victims are redirected via malicious advertisements or search results to fake CAPTCHA pages that use social engineering to trick them into copying and executing a malicious Bash command in the macOS Terminal. The downloaded update.sh script establishes persistence by installing a LaunchAgent through osascript and deploys a backdoor that executes at every user login....
    Researcher assesses UAT-7810 as a China-nexus APT that provides infrastructure support to other China-aligned threat actors, including UAT-5918. The group continues to enhance its custom malware ecosystem with LONGLEASH, DOGLEASH(shellcode-executing backdoor), LEASHTEST, and the Java-based JARLEASH backdoor....
    A financially motivated Vidar Stealer MaaS affiliate conducted a large-scale malvertising campaign targeting users in the U.S. and European Union with fake cracked software downloads....
    Since May 2026, a suspected China-aligned threat cluster named UNK_MassTraction has targeted Roundcube mailservers. The campaign specifically targets physics and engineering departments at US and Canadian universities. High-value targets include entities with national security ties or those studying astrophysics and particle physics....
    Millenium RAT v4 is a C++-based Remote Access Trojan (RAT) offered as a Malware-as-a-Service (MaaS) by the developer ShinyEnigma and actively deployed by the Y2K Operators threat cluster....
    Looking for Something?
    Threat Research Categories:
    Tags