Threat Research

GoBruteforcer is a Linux-based botnet that converts compromised servers into distributed scanners and password brute-force nodes targeting internet-exposed services such as phpMyAdmin, MySQL, PostgreSQL, and FTP....

An active Linux-targeting campaign is deploying a Mirai-derived botnet called V3G4, now enhanced with a stealthy, fileless-configured XMRig Monero cryptominer....

At the end of October, during a global AWS connectivity disruption, Labs detected malware known as “ShadowV2” exploiting IoT vulnerabilities to spread. The incidents impacted multiple countries and affected seven different industries. To date, the malware has only been observed operating during the major AWS outage window....

The ongoing Water Saci campaign reveals a new attack chain leveraging an email-based C&C infrastructure with multi-vector persistence for enhanced resilience. It employs advanced evasion techniques to avoid analysis and limit activity to specific, intended targets....

The team has detected a surge in Android malware posing as Indian RTO apps, targeting Indian users to steal sensitive data. The malware spreads via WhatsApp and SMS with shortened links redirecting to malicious APKs hosted on GitHub or compromised sites. Once installed, it uses phishing pages to steal banking credentials, UPI PINs, and intercepts SMS with financial data....

A major botnet campaign, dubbed RondoDox, is actively exploiting over 50 known vulnerabilities in routers, DVRs, NVRs, CCTV systems, and web servers from more than 30 vendors. Organizations with internet-facing infrastructure face heightened risks of data theft, persistent access, and operational disruption....

The Resurgence of IoT Malware: Inside the Mirai-Based 'Gayfemboy' Botnet Campaign explores a stealthy and evolving malware strain named "Gayfemboy," initially discovered by a Chinese cybersecurity firm. Over the past year, the malware resurfaced with renewed activity in July, targeting vulnerabilities in IoT devices from vendors like DrayTek, TP-Link, Raisecom, and Cisco....

A sophisticated new infostealer and botnet called "Cyber Stealer" was discovered by the Threat Response Unit in May 2025. This multi-functional malware operates on a tiered subscription model with three packages—Regular, Premium, and VIP—offering escalating features from basic stealing to advanced capabilities like DDoS attacks, cryptocurrency mining, and DNS poisoning....

Hpingbot is a newly discovered, cross-platform botnet family written in Go, actively spreading since June 2025. Designed for Windows, Linux, and IoT devices, it supports multiple architectures including amd64, ARM, MIPS, and 80386. Unlike variants based on Mirai or Gafgyt, Hpingbot is built from scratch, showing advanced innovation and efficiency....

Over the past month, there has been a noticeable surge in scanning activity linked to a new botnet campaign exploiting two high-risk vulnerabilities: CVE-2024-3721 and CVE-2024-12856. Both vulnerabilities have been publicly disclosed and are currently being actively targeted, presenting serious threats to device security and overall network stability....