Threat Research

Pawn Storm, a Russia-aligned APT group, is targeting Ukraine’s defense supply chain and allied nations. It deploys PRISMEX, a modular malware suite using steganography, COM hijacking, and cloud-based C2. The group exploited multiple flaws, including a Windows zero-day (CVE-2026-21513). Malicious .lnk files via CVE-2026-21509 may chain with CVE-2026-21513, per Akamai findings....

DarkSword is a sophisticated iOS full-chain exploit leveraging multiple zero-day vulnerabilities to fully compromise devices running iOS 18.4 to 18.7. Since late 2025, it has been used by commercial surveillance vendors and state-sponsored actors across campaigns targeting regions including Saudi Arabia, Turkey, Malaysia, and Ukraine....

The Coruna exploit kit is a sophisticated toolkit targeting Apple iPhones running iOS 13.0 through 17.2.1, containing five full exploit chains and 23 exploits, including zero-day exploits, that leverage advanced, non-public techniques to bypass iOS security protections....

APT28, a Russian state-sponsored threat group also known as Fancy Bear or UAC-0001, is conducting a sophisticated espionage campaign against European military and government entities. The operation primarily targets maritime and transportation organizations in Poland, Slovenia, Turkey, Greece, the UAE, and Ukraine....

UAC-0184, also known as Hive0156, is a Russia-aligned threat actor that conducts cyber operations against Ukraine using commercially available malware and lure documents. The group primarily targets Ukrainian military personnel by distributing weaponized LNK files or PowerShell scripts that result in Remcos malware infections....

ScoringMathTea is a newly uncovered C++ Remote Access Trojan used by North Korea’s Lazarus Group in a fresh phase of Operation DreamJob, targeting defense contractors supporting Ukraine to steal sensitive UAV technology....

A recent phishing campaign targeting Ukraine uses malicious SVG files disguised as official government communication. When opened, the SVG file downloads a password-protected archive containing a CHM file, which triggers a chain of malware execution via HTA CountLoader....

A Russian state-sponsored cyber campaign has been targeting Western logistics and technology companies, particularly those supporting the coordination, transportation, and delivery of foreign aid to Ukraine....

In early February 2025, a phishing campaign targeting Ukrainian entities used invoice and billing-themed emails containing compressed archives with obfuscated JavaScript files. These files deployed PowerShell downloaders to install SmokeLoader, leveraging the Emmenthal loader....

DanaBot is a Malware-as-a-Service (MaaS) platform active since 2018, operating through an affiliate model where the developer provides the malware, C2 infrastructure, and support. Affiliates use DanaBot for credential theft, banking fraud, and other malicious activities....