Threat Research

The StopRansomware: Akira Ransomware advisory warns of Akira’s expanding operations, including new activity as of Nov. 13, 2025, targeting Windows, Linux, and virtualization platforms....

At the end of October, during a global AWS connectivity disruption, Labs detected malware known as “ShadowV2” exploiting IoT vulnerabilities to spread. The incidents impacted multiple countries and affected seven different industries. To date, the malware has only been observed operating during the major AWS outage window....

In early 2025, researchers identified a surge of ransomware attacks abusing the SimpleHelp Remote Monitoring and Management (RMM) platform, widely used by MSPs and software vendors. Threat groups such as Medusa and DragonForce exploited three vulnerabilities — CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728 — to infiltrate downstream customer networks....

During its incident response efforts, determined that cyber threat actors infiltrated the agency’s network on July 11, 2024, by exploiting a critical vulnerability—CVE-2024-36401 [CWE-95: “Eval Injection”]—in a public-facing GeoServer instance (referred to as GeoServer 1)....

This report details a stealthy campaign exploiting CVE-2024-36401, a critical RCE vulnerability (CVSS 9.8) in GeoServer, to gain access to victims' machines and monetize their internet bandwidth. Attackers deploy legitimate or modified SDKs to turn compromised systems into residential proxies, mimicking legal monetization practices used by app developers....

On July 19, researchers detected a surge of HTTP probes aimed at Rejetto HTTP File Server (HFS) 2.x systems, revealing a coordinated spray‑and‑pray campaign exploiting a critical unauthenticated server‑side template injection (SSTI) vulnerability (CVE‑2024‑23692, CVSS 9.8) that permits arbitrary command execution via a single crafted request....

Over the past month, there has been a noticeable surge in scanning activity linked to a new botnet campaign exploiting two high-risk vulnerabilities: CVE-2024-3721 and CVE-2024-12856. Both vulnerabilities have been publicly disclosed and are currently being actively targeted, presenting serious threats to device security and overall network stability....

A newly identified botnet called RustoBot is spreading through TOTOLINK routers using Rust, a programming language known for its speed and security. RustoBot exploits command injection vulnerabilities in the cstecgi.cgi script, including CVE-2022-26210 and CVE-2022-26187, to achieve remote code execution....

"Unmasking the new persistent attacks on Japan" reveals an ongoing cyber campaign targeting Japanese organizations across various sectors across various business verticals, including technology, telecommunications, entertainment, education, and e-commerce, based on our analysis of command and control (C2) server artefacts....

This detection identifies file modifications to ASPX and ASHX files in the root of the App_Extensions directory, which can be exploited through the ZipSlip vulnerability in versions before 23.9.8. This occurs during the exploitation of CVE-2024-1708....