Threat Research

New Dohdoor Malware Campaign Targets Education and Health Care outlines a phishing-driven, multi-stage attack primarily impacting U.S. education and healthcare organizations....

Between June and August 2025, we observed a newly identified threat actor, designated UNK_SmudgedSerpent, conducting targeted operations against academics and foreign policy experts....

Our Labs team uncovered a campaign targeting military personnel in Russia and Belarus, particularly the Russian Airborne Forces and Belarusian Special Forces. The infection chain exposes multiple local services via Tor using obfs4 bridges, enabling anonymous communication through onion addresses....

PhantomVAI Loader is a stealthy, multi-stage loader propagated via phishing that uses obfuscated scripts and steganography to hide payloads. Originally called Katz Stealer Loader for delivering Katz Stealer, it has evolved to deliver multiple infostealers (including Katz, AsyncRAT, XWorm, FormBook and DCRat) and is offered as malware-as-a-service....

Between July and August 2025, TA415 conducted spearphishing campaigns targeting U.S. government, think tanks, and academic institutions using U.S.-China economic-themed lures. The group impersonated prominent entities like the Select Committee on Strategic Competition and the US-China Business Council to target individuals focused on U.S.-China relations....

A surge in active exploitation is targeting newly revealed vulnerabilities in Microsoft SharePoint Server (CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771)....

Our team discovered an Android malware, “SikkahBot,” active since July 2024, targeting students in Bangladesh. Disguised as apps from the Bangladesh Education Board, it lures users with fake scholarships to steal sensitive data....

CVE-2025-53770 and CVE-2025-53771 impact on-premise Microsoft SharePoint Servers, enabling malicious file uploads and cryptographic key theft. These evolved from earlier flaws (CVE-2025-49704/49706), where incomplete patches left systems vulnerable to unauthenticated RCE via deserialization and ViewState abuse....

In May 2025, a financial institution in Asia was targeted by Fog ransomware, marking a significant shift in attack tactics. Unusually, the attackers deployed legitimate employee monitoring software, Syteca (formerly Ekran), and several open-source pentesting tools, including GC2, Adaptix, and Stowaway—tools not typically associated with ransomware attacks....

FOG ransomware is being spread by cybercriminals claiming ties to the Department of Government Efficiency (DOGE). Nine samples with the ".flocked" extension were found, dropping notes urging further spread and referencing DOGE and an FBI-related incident....