Threat Research

The team has been tracking a large-scale extortion campaign by UNC6671, operating under the “BlackFile” brand. The group targets organizations using advanced voice phishing (vishing) and single sign-on (SSO) compromise techniques. By applying adversary-in-the-middle (AiTM) methods, UNC6671 bypasses traditional defenses and multi-factor authentication (MFA)....

Threat actors continue to abuse MSHTA (mshta.exe), a legacy Windows utility and Living-off-the-Land binary (LOLBIN), to execute malicious VBScript and JavaScript code while blending into legitimate system activity....

Threat actors are actively exploiting multiple vulnerabilities affecting Cisco Catalyst SD-WAN products, including the authentication bypass flaw CVE-2026-20182, which allows remote attackers to gain administrative access without authentication....

An investigation team mapped the full operational model of the "Banana RAT" banking trojan. Attributed to the threat cluster SHADOW-WATER-063, the malware targets Brazilian financial institutions. MDR reconstructed the entire attack chain by correlating server tooling and client payloads....

Steganography is rapidly gaining traction in the threat landscape. Instead of relying on direct encrypted transfers, attackers are increasingly hiding next-stage payloads inside everyday media files....

Gremlin Stealer is an evolving infostealer malware that uses advanced obfuscation techniques, including embedded resource concealment and commercial packers with instruction virtualization, to evade detection and analysis....

Our research examined the April 22 Checkmarx KICS and April 24 elementary-data incidents as part of a broader TeamPCP supply chain campaign involving at least seven confirmed waves. The KICS attack used multichannel poisoning across Docker Hub, VS Code/OpenVSX, and GitHub Actions, later enabling the hijack of @bitwarden/cli through stolen npm tokens....

In Q1 2026, an Iran-linked espionage campaign targeted at least nine organizations across four continents, affecting sectors such as manufacturing, education, finance, government, and professional services....

This campaign involves a trojanized version of the legitimate HWMonitor application used to deliver the STX RAT malware. The attackers leveraged DLL sideloading to execute malicious payloads through trusted binaries, helping evade detection....

CVE-2026-41940 is a severe authentication bypass flaw (CVSS score: 9.8) impacting cPanel and WHM. The vulnerability allows remote attackers to circumvent the authentication mechanism and obtain unauthorized access without requiring legitimate credentials....

The EtherRAT malware family was first identified by Sysdig in December 2025, initially exploiting CVE-2025-55182 (React2Shell) on Linux servers. In March 2026, Atos reported a Windows-based EtherRAT campaign with activity traced back to December 2025....

We investigated reports of a fake Claude AI website spreading malware. At first, the attack appeared similar to known PlugX campaigns due to shared techniques. Closer analysis revealed a first-stage DonutLoader payload and a previously undocumented backdoor....

This campaign demonstrates how ClickFix-style social engineering continues to evolve into an effective initial access technique for delivering sophisticated malware frameworks....

UAT-8302 is a sophisticated China-linked APT group targeting South American government entities since late 2024 and southeastern European agencies in 2025. After gaining access, the group deploys several custom malware families previously associated with other China-nexus threat actors....

In March 2026, ThreatLabz uncovered an attack chain targeting AI agentic workflows through a malicious OpenClaw framework skill. The attackers used manipulated installation instructions to trick autonomous AI agents into downloading and executing a remote MSI package....