Threat Research

EvilTokens is a newly identified phishing-as-a-service (PhaaS) kit that enables large-scale Microsoft device code phishing attacks, leveraging social engineering techniques and rapidly adopted by cybercriminals for Adversary-in-the-Middle (AitM) and Business Email Compromise (BEC) operations....

A cyberespionage campaign discovered in early 2026 involved three distinct threat clusters Paper Werewolf, Versatile Werewolf, and Eagle Werewolf targeting victims using malware disguised as Starlink registration services and drone training applications....

Boggy Serpens (also known as MuddyWater), an Iranian state-linked threat group associated with MOIS, continues to conduct cyberespionage campaigns targeting diplomatic entities and critical infrastructure sectors such as energy, maritime, and finance....

CRESCENTHARVEST is a targeted cyberespionage campaign using protest-themed lures to infect Farsi-speaking individuals with malicious .LNK files disguised as media content. The malware, deployed via DLL sideloading with a signed Google executable, acts as a remote access trojan and information stealer capable of keylogging, command execution, and data exfiltration....

XWorm is a multi-functional Remote Access Trojan (RAT) first identified in 2022 and still actively distributed, including via Telegram marketplaces. Once installed, it grants attackers full remote control over compromised Windows systems. This campaign uses phishing emails with social engineering tactics to trick recipients into opening a malicious attachment....

North Korean threat actors continue to refine their tactics to target cryptocurrency and DeFi organizations. A recent investigation examined an intrusion against a FinTech entity in this sector. The activity was attributed to UNC1069, a financially motivated threat actor active since at least 2018....

TA584 stands out in the cybercrime landscape, highlighting the limits of static detection against rapidly evolving threat actors. It operates as a major initial access broker, targeting organizations worldwide. In the second half of 2025, the group significantly modified its attack chains....

Labs have uncovered a multi-stage malware campaign mainly targeting users in Russia. The attack starts with social engineering via business-themed documents that appear routine and harmless. These files distract victims with fake tasks or status messages while malicious processes run in the background....

PHALT#BLYX is a multi-stage malware campaign targeting the hospitality sector that relies on click-fix social engineering, fake CAPTCHAs, and fake BSOD pages delivered via Booking.com–themed phishing lures....

We identified a new social-engineering tactic employed by the Belarusian threat actor White Lynx (also known as Ghostwriter, Storm-0257, UNC1151). The method relies on a malicious macro embedded in a Word document designed to evade detection and analysis. Once macros are enabled, the user is presented with a fake CAPTCHA window prompting them to validate a six-character string....