Threat Research

Since at least 2020, we have observed a cluster of activity targeting high-value organizations across South, Southeast, and East Asia. The attacks focus on critical sectors including aviation, energy, government, law enforcement, pharmaceutical, technology, and telecommunications. This ongoing and previously undocumented activity is being tracked as CL-UNK-1068....

New Dohdoor Malware Campaign Targets Education and Health Care outlines a phishing-driven, multi-stage attack primarily impacting U.S. education and healthcare organizations....

Two critical zero-day vulnerabilities, CVE-2026-1281 and CVE-2026-1340, are impacting Ivanti Endpoint Manager Mobile (EPMM). They are actively exploited in the wild, targeting enterprise mobile fleets and corporate networks. The flaws allow unauthenticated remote code execution on affected servers....

PHALT#BLYX is a multi-stage malware campaign targeting the hospitality sector that relies on click-fix social engineering, fake CAPTCHAs, and fake BSOD pages delivered via Booking.com–themed phishing lures....

During October and November 2025, a series of campaigns targeting the energy, defense, pharmaceutical, and cybersecurity sectors displayed traits consistent with earlier operations linked to Void Rabisu (also known as ROMCOM, Tropical Scorpius, or Storm-0978)....

The Agenda ransomware group (Qilin) has been observed deploying Linux-based binaries on Windows hosts using legitimate remote management and file transfer tools. This cross-platform technique evades traditional Windows-focused detections, including many EDR solutions....

A global phishing campaign is targeting the hospitality industry, exploiting compromised Booking.com accounts and WhatsApp messages to defraud hotel customers. The attackers gained access to hotel systems through infostealer malware, stealing credentials for booking platforms like Booking.com and Expedia....

Between June and August 2025, we observed a newly identified threat actor, designated UNK_SmudgedSerpent, conducting targeted operations against academics and foreign policy experts....

PhantomVAI Loader is a stealthy, multi-stage loader propagated via phishing that uses obfuscated scripts and steganography to hide payloads. Originally called Katz Stealer Loader for delivering Katz Stealer, it has evolved to deliver multiple infostealers (including Katz, AsyncRAT, XWorm, FormBook and DCRat) and is offered as malware-as-a-service....

EvilAI disguises itself as legitimate productivity or AI tools, using professional interfaces and valid digital signatures to avoid detection. It has spread globally, with the greatest impact seen in Europe, the Americas, and the AMEA region. Targeted sectors include manufacturing, government/public services, and healthcare....