Threat Research

A large-scale spam campaign abused Atlassian Cloud’s trusted domain to distribute multilingual phishing emails targeting government and corporate entities....

During analysis of compromised Dell RecoverPoint for Virtual Machines systems, Identified BRICKSTORM binaries later replaced by GRIMBOLT in September 2025. GRIMBOLT is a C# foothold backdoor built with Native AOT compilation and packed using UPX....

SyncFuture Espionage Targeted Campaign (Blackmoon Malware) is a highly targeted cyber-espionage operation affecting users and organizations in India, leveraging phishing emails that impersonate the Indian Income Tax Department to initiate a multi-stage infection chain....

Identifies when a legitimate Windows system executable normally found in the system directory is launched from an unusual or unexpected location....

A malicious campaign is distributing proxyware disguised as a legitimate Notepad++ or cracked software installer through deceptive download sites and ads. In this proxyjacking attack, the malware secretly installs proxyware on victims’ systems to hijack their network bandwidth for profit....

Osiris ransomware is a modern, enterprise-focused threat that conducts targeted intrusions involving deep network compromise, data exfiltration, and double-extortion tactics before encrypting victim systems....

The Chrome extension “Chrome MCP Server - AI Browser Control” operates as a browser-based Remote Access Trojan (RAT). It is disguised as an AI automation tool and falsely claims that all processing is 100% local. Once enabled, it connects via WebSocket to a live C2 server....

The report highlights a rise in model extraction (“distillation”) attacks aimed at stealing proprietary AI logic, alongside the growing integration of generative AI into real-world threat operations....

XWorm v7 RAT is a modular, malware-as-a-service Remote Access Trojan active since 2022, widely adopted by cybercriminals for its ease of deployment and extensive post-compromise capabilities....

GuLoader (also known as CloudEye) is a highly obfuscated malware family first identified in December 2019. It primarily functions as a downloader for Remote Access Trojans (RATs) and information stealers. Threat actors often host its payloads on legitimate platforms like Google Drive and OneDrive to evade detection....

XWorm is a multi-functional Remote Access Trojan (RAT) first identified in 2022 and still actively distributed, including via Telegram marketplaces. Once installed, it grants attackers full remote control over compromised Windows systems. This campaign uses phishing emails with social engineering tactics to trick recipients into opening a malicious attachment....

A Peek Into Muddled Libra’s Operational Playbook examines a September 2025 intrusion in which the cybercrime group Muddled Libra (aka Scattered Spider/UNC3944) deployed a rogue VM after compromising a VMware vSphere environment....

North Korean threat actors continue to refine their tactics to target cryptocurrency and DeFi organizations. A recent investigation examined an intrusion against a FinTech entity in this sector. The activity was attributed to UNC1069, a financially motivated threat actor active since at least 2018....

Stan Ghouls (also known as Bloody Wolf) is a cybercriminal group active since at least 2023, conducting highly targeted campaigns primarily against manufacturing, finance, and IT organizations across Russia and Central Asia....

Knife Cutting the Edge details DKnife, a China-nexus, Linux-based adversary-in-the-middle (AitM) gateway framework active since at least 2019 that compromises routers and edge devices to inspect and manipulate network traffic and deliver malware....