Threat Research

An Iran-linked APT group known as Screening Serpens conducted targeted cyberespionage campaigns against organizations in the U.S., Israel, the UAE, and other Middle Eastern regions during early 2026....

Void Dokkaebi (also known as Famous Chollima) has evolved its InvisibleFerret malware by shifting from readable Python scripts to Cython-compiled binaries, improving evasion and making detection more difficult....

The Guardrails-AI incident highlights the growing sophistication of software supply chain attacks targeting AI and developer ecosystems. Even trusted and widely adopted packages can become delivery mechanisms for malicious payloads when repository infrastructure, CI/CD workflows, or deployment credentials are compromised....

Users searching for legitimate C++ software land on a compromised site that executes malicious JavaScript. The script conducts heavy profiling via browser fingerprinting, mouse telemetry, and click interception. Profiled victims are redirected through intermediary domains to a dynamic, fake "MEGA Transfer" page....

Webworm, a China-aligned APT group, has evolved its operations by shifting from traditional malware families toward stealthier custom tools and proxy-based techniques. In 2025, the group introduced new backdoors such as EchoCreep and GraphWorm, which abuse trusted platforms like Discord and Microsoft Graph API for command-and-control communication....

A large-scale CountLoader campaign was observed using heavily obfuscated, multi-stage infection chains involving PowerShell, JavaScript executed through mshta.exe, and in-memory shellcode injection to evade detection and maintain persistence....

This campaign demonstrates how ClickFix-style social engineering continues to evolve through abuse of legitimate Windows tooling and user-assisted execution workflows....

In recent years, the threat landscape has shifted as info stealers and keyloggers become dominant malware payloads. Whether acting alone or as loaders for broader attacks, these tools efficiently harvest sensitive data. VIP Keylogger exemplifies this threat, leveraging phishing and evasion tactics to bypass security controls....

The team has been tracking a large-scale extortion campaign by UNC6671, operating under the “BlackFile” brand. The group targets organizations using advanced voice phishing (vishing) and single sign-on (SSO) compromise techniques. By applying adversary-in-the-middle (AiTM) methods, UNC6671 bypasses traditional defenses and multi-factor authentication (MFA)....

Threat actors continue to abuse MSHTA (mshta.exe), a legacy Windows utility and Living-off-the-Land binary (LOLBIN), to execute malicious VBScript and JavaScript code while blending into legitimate system activity....