Threat Research

A stealthy malware campaign is abusing digitally signed remote monitoring and management (RMM) tools to gain persistent access and evade detection. The attack leverages legitimate file-hosting updater mechanisms to execute cloud-syncing processes, enabling disguised traffic and potential data exfiltration....

A targeted campaign is using phishing emails with fake resume (CV) attachments to infect French-speaking corporate environments with heavily obfuscated VBScript malware....

Threat actors are exploiting multiple FortiGate vulnerabilities including CVE-2025-59718, CVE-2025-59719, and the recently patched CVE-2026-24858. to bypass authentication and gain administrative access to firewall devices. After access, they download configuration files containing sensitive data, including service account credentials that can be easily decrypted....

Since late December 2025, the team has handled multiple incidents involving voice-based phishing (vishing) leading to data theft and extortion. These attacks have targeted organizations across Financial Services, Manufacturing, Professional & Legal Services, and Wholesale & Retail sectors....

Pakistan-linked threat actor APT36 (Transparent Tribe) has shifted to an AI-assisted malware development model known as “vibeware,” generating large volumes of disposable implants using niche programming languages such as Nim, Zig, and Crystal to evade traditional detection....

Seedworm (also known as MuddyWater) has been observed conducting cyber espionage activities against multiple organizations in the United States and Canada since early 2026. Targeted entities include a U.S. bank, airport, defense-related software company, and non-profit organizations....

On Feb. 28, 2026, joint US–Israel strikes reduced Iran’s internet connectivity to 1–4%, disrupting leadership communications and degrading command-and-control across state networks. Security teams identified an SMS/phishing campaign distributing a trojanized Israeli Home Front Command RedAlert APK for surveillance and data exfiltration....

CRESCENTHARVEST is a targeted cyberespionage campaign using protest-themed lures to infect Farsi-speaking individuals with malicious .LNK files disguised as media content. The malware, deployed via DLL sideloading with a signed Google executable, acts as a remote access trojan and information stealer capable of keylogging, command execution, and data exfiltration....

Malicious OpenClaw Skills Used to Distribute Atomic macOS Stealer describes a campaign in which threat actors shifted Atomic (AMOS) Stealer from cracked software distribution to a supply chain-style attack targeting AI agentic workflows on platforms like OpenClaw....

VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731) details active exploitation of a pre-authentication RCE flaw in BeyondTrust Remote Support software that enables attackers to execute OS-level commands and fully compromise affected systems....