Threat Research

Researchers identified a new malware-as-a-service (MaaS) posing as a legitimate remote monitoring and management (RMM) tool called TrustConnect. Its so-called business website—likely auto-generated—actually serves as the login portal for the malware platform....

VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731) details active exploitation of a pre-authentication RCE flaw in BeyondTrust Remote Support software that enables attackers to execute OS-level commands and fully compromise affected systems....

Divide and Conquer: How the New Keenadu Backdoor Exposed Links Between Major Android Botnets outlines the discovery of Keenadu, a firmware-level Android backdoor embedded during the build process via a malicious library linked to libandroid_runtime.so....

Two critical zero-day vulnerabilities, CVE-2026-1281 and CVE-2026-1340, are impacting Ivanti Endpoint Manager Mobile (EPMM). They are actively exploited in the wild, targeting enterprise mobile fleets and corporate networks. The flaws allow unauthenticated remote code execution on affected servers....

A large-scale spam campaign abused Atlassian Cloud’s trusted domain to distribute multilingual phishing emails targeting government and corporate entities....

During analysis of compromised Dell RecoverPoint for Virtual Machines systems, Identified BRICKSTORM binaries later replaced by GRIMBOLT in September 2025. GRIMBOLT is a C# foothold backdoor built with Native AOT compilation and packed using UPX....

SyncFuture Espionage Targeted Campaign (Blackmoon Malware) is a highly targeted cyber-espionage operation affecting users and organizations in India, leveraging phishing emails that impersonate the Indian Income Tax Department to initiate a multi-stage infection chain....

Identifies when a legitimate Windows system executable normally found in the system directory is launched from an unusual or unexpected location....

A malicious campaign is distributing proxyware disguised as a legitimate Notepad++ or cracked software installer through deceptive download sites and ads. In this proxyjacking attack, the malware secretly installs proxyware on victims’ systems to hijack their network bandwidth for profit....

Osiris ransomware is a modern, enterprise-focused threat that conducts targeted intrusions involving deep network compromise, data exfiltration, and double-extortion tactics before encrypting victim systems....

The Chrome extension “Chrome MCP Server - AI Browser Control” operates as a browser-based Remote Access Trojan (RAT). It is disguised as an AI automation tool and falsely claims that all processing is 100% local. Once enabled, it connects via WebSocket to a live C2 server....

The report highlights a rise in model extraction (“distillation”) attacks aimed at stealing proprietary AI logic, alongside the growing integration of generative AI into real-world threat operations....

XWorm v7 RAT is a modular, malware-as-a-service Remote Access Trojan active since 2022, widely adopted by cybercriminals for its ease of deployment and extensive post-compromise capabilities....

GuLoader (also known as CloudEye) is a highly obfuscated malware family first identified in December 2019. It primarily functions as a downloader for Remote Access Trojans (RATs) and information stealers. Threat actors often host its payloads on legitimate platforms like Google Drive and OneDrive to evade detection....

XWorm is a multi-functional Remote Access Trojan (RAT) first identified in 2022 and still actively distributed, including via Telegram marketplaces. Once installed, it grants attackers full remote control over compromised Windows systems. This campaign uses phishing emails with social engineering tactics to trick recipients into opening a malicious attachment....