Threat Research

In December 2025, Labz discovered a new C2 implant called SnappyClient, delivered via HijackLoader. SnappyClient is a C++-based malware that enables remote access and extensive data theft. Its capabilities include keylogging, screenshots, remote terminal access, and stealing data from browsers and applications....

Since late December 2025, the team has handled multiple incidents involving voice-based phishing (vishing) leading to data theft and extortion. These attacks have targeted organizations across Financial Services, Manufacturing, Professional & Legal Services, and Wholesale & Retail sectors....

A recent phishing campaign targeting Indian businesses leverages Income Tax Return (ITR)–related themes to appear legitimate and trustworthy. Attackers impersonate the Indian Income Tax Department (ITD) by sending fake “Tax Compliance Review Notice” emails, exploiting public concern around refund timelines....

The team has detected a surge in Android malware posing as Indian RTO apps, targeting Indian users to steal sensitive data. The malware spreads via WhatsApp and SMS with shortened links redirecting to malicious APKs hosted on GitHub or compromised sites. Once installed, it uses phishing pages to steal banking credentials, UPI PINs, and intercepts SMS with financial data....

Two new Android spyware campaigns, ProSpy and ToSpy, are targeting privacy-conscious users in the UAE by impersonating secure messaging apps like Signal and ToTok....

In January 2025, researchers uncovered a series of attacks delivering DarkCloud Stealer, a sophisticated malware that uses AutoIt scripting to evade detection. The attack chain involved hosting the malware on a file-sharing server and deploying multi-stage, obfuscated payloads, making it difficult for traditional security tools to detect....

Gremlin Stealer is a newly discovered information-stealing malware written in C# and actively promoted on a Telegram group since March 2025. Designed to target Windows systems, it exfiltrates sensitive data—including browser cookies, credit card information, clipboard contents, crypto wallets, FTP, and VPN credentials—and uploads it to a remote server....

AI-assisted fake GitHub repositories are being used to distribute SmartLoader, which delivers Lumma Stealer and other malware. These repositories disguise malicious software as gaming cheats and cracked tools, evading detection through AI-generated content....

"DragonForce Ransomware Group is Targeting Saudi Arabia" highlights a recent ransomware attack by DragonForce, which targeted organizations in the Kingdom of Saudi Arabia (KSA). A major incident involved a data breach at a prominent Riyadh real estate and construction company....

CL-STA-0048 is an espionage campaign targeting high-value organizations in South Asia, including a telecommunications company. The attackers, likely from China, use advanced techniques such as Hex Staging, DNS exfiltration, and SQLcmd for data theft. The campaign aims to steal personal and sensitive information, focusing on government employees....