Threat Research

In December 2025, Labz discovered a new C2 implant called SnappyClient, delivered via HijackLoader. SnappyClient is a C++-based malware that enables remote access and extensive data theft. Its capabilities include keylogging, screenshots, remote terminal access, and stealing data from browsers and applications....

CRESCENTHARVEST is a targeted cyberespionage campaign using protest-themed lures to infect Farsi-speaking individuals with malicious .LNK files disguised as media content. The malware, deployed via DLL sideloading with a signed Google executable, acts as a remote access trojan and information stealer capable of keylogging, command execution, and data exfiltration....

PHALT#BLYX is a multi-stage malware campaign targeting the hospitality sector that relies on click-fix social engineering, fake CAPTCHAs, and fake BSOD pages delivered via Booking.com–themed phishing lures....

A North Korea-aligned group, Famous Chollima, is using fake job offers to lure victims into installing malware. In a recent case, a trojanized Node.js app called Chessfi was distributed via the NPM package node-nvm-ssh. The group’s tools, BeaverTail and OtterCookie, have evolved by merging functionalities and adding a new JavaScript module for keylogging and taking screenshots....

Astaroth is a stealthy banking trojan that has evolved to become more resilient by abusing GitHub. Instead of relying solely on traditional command-and-control (C2) servers, it uses GitHub repositories to host malware configurations, allowing it to stay active even when C2 infrastructure is taken down....

An ongoing 2025 malvertising campaign is delivering a multi-stage malware framework dubbed PS1Bot, developed using PowerShell and C#. The malware supports in-memory execution, persistence, and modular capabilities including info-stealing, keylogging, and screen capturing. It minimizes forensic artifacts by avoiding disk writes....

A sophisticated new infostealer and botnet called "Cyber Stealer" was discovered by the Threat Response Unit in May 2025. This multi-functional malware operates on a tiered subscription model with three packages—Regular, Premium, and VIP—offering escalating features from basic stealing to advanced capabilities like DDoS attacks, cryptocurrency mining, and DNS poisoning....

KimJongRAT, first identified in 2013, now appears in two variants: a Portable Executable (PE) and a PowerShell version. Both are triggered via a malicious LNK file that fetches droppers from a CDN. The PE dropper delivers a loader, decoy PDF, and text file, while the PowerShell variant unpacks a PDF and ZIP archive containing the stealer and keylogger....

Mustang Panda continues to develop custom tools for targeted attacks. They use PAKLOG and CorKLOG keyloggers—PAKLOG obfuscates data with custom encoding, while CorKLOG encrypts logs using a 48-character RC4 key. Persistence is achieved via services and scheduled tasks....

The Coyote Banking Trojan is a malware targeting users in Brazil, delivered through LNK files containing PowerShell commands. These files are part of multi-stage attacks aimed at stealing sensitive information from over 70 financial apps and websites....