Threat Research

We recently uncovered a phishing campaign delivering a variant of PureLogs, an infostealer designed to harvest sensitive data from compromised devices. This report breaks down the campaign's mechanics, analyzing the deceptive "purchase order" emails used to trick victims and the inner workings of the initial JavaScript payload....

Device code phishing has rapidly evolved into a major identity-focused attack technique, driven by publicly available phishing toolkits, phishing-as-a-service (PhaaS) offerings, and AI-assisted “vibe coded” tools....

In recent years, the threat landscape has shifted as info stealers and keyloggers become dominant malware payloads. Whether acting alone or as loaders for broader attacks, these tools efficiently harvest sensitive data. VIP Keylogger exemplifies this threat, leveraging phishing and evasion tactics to bypass security controls....

The team has been tracking a large-scale extortion campaign by UNC6671, operating under the “BlackFile” brand. The group targets organizations using advanced voice phishing (vishing) and single sign-on (SSO) compromise techniques. By applying adversary-in-the-middle (AiTM) methods, UNC6671 bypasses traditional defenses and multi-factor authentication (MFA)....

Steganography is rapidly gaining traction in the threat landscape. Instead of relying on direct encrypted transfers, attackers are increasingly hiding next-stage payloads inside everyday media files....

The increasing reliance on AI has led to a surge in AI-driven tools. However, these platforms can also be exploited for malicious purposes, as demonstrated in the case of Kuse.ai. While Kuse is generally regarded as a reliable workplace solution, threat actors continuously develop new social engineering tactics....

We identified phishing emails falsely claiming mailbox storage limits are exceeded. They include shortened links that redirect to fake “Cloud” storage pages. The messages use urgent language like “Cloud storage is full” and “Permanent data loss warning.” Users are pressured through multiple redirects to pages mimicking real cloud dashboards....

In March 2026, we identified over twenty phishing apps on the Apple App Store posing as well-known crypto wallets. After being opened, these apps redirect users to web pages that mimic the App Store and deliver tampered versions of legitimate wallet applications. These malicious apps are deliberately built to capture recovery phrases and private keys....

Kali365 is a newly emerged phishing-as-a-service (PhaaS) kit that abuses OAuth device code registration flows to conduct large-scale credential phishing campaigns. Distributed through Telegram, the platform offers advanced capabilities including mailbox scanning, phishing page generation, and AI-powered chatbot assistance for creating convincing lures....

BlobPhish is an advanced credential-phishing campaign active since 2024 that generates phishing pages directly within the victim’s browser using in-memory blob objects, bypassing traditional network and file-based detection....