Threat Research

In Q1 2026, an Iran-linked espionage campaign targeted at least nine organizations across four continents, affecting sectors such as manufacturing, education, finance, government, and professional services....

This campaign involves a trojanized version of the legitimate HWMonitor application used to deliver the STX RAT malware. The attackers leveraged DLL sideloading to execute malicious payloads through trusted binaries, helping evade detection....

This campaign demonstrates how ClickFix-style social engineering continues to evolve into an effective initial access technique for delivering sophisticated malware frameworks....

A newly identified set of China-aligned campaigns is targeting government entities and critical infrastructure across South, East, and Southeast Asia, plus one NATO member state. This activity is being tracked as SHADOW-EARTH-053....

A new variant of the LOTUSLITE backdoor, attributed with moderate confidence to Mustang Panda, is targeting India’s banking sector using DLL sideloading with legitimate Microsoft-signed executables. The malware communicates with a dynamic DNS-based C2 over HTTPS and enables remote shell access, file operations, and session control, indicating espionage-driven objectives....

The attack starts with SEO poisoning, luring users searching for YubiKey Manager into downloading a malicious ISO file. It then executes a complex chain using DLL sideloading and PowerShell to evade defenses by adding Windows Defender exclusions. An obfuscated AutoIt script disguised as Health.exe decrypts and decompresses the Lumma Stealer payload....

A watering hole attack compromised the official CPUID website, replacing legitimate download links for popular tools like CPU-Z and HWMonitor with malicious versions....

A threat cluster tracked as UAT-10362 APT is conducting spear-phishing campaigns targeting Taiwanese NGOs and academic institutions, delivering a newly identified malware family called LucidRook. The malware uses a DLL-based stager embedding Lua and Rust components to execute staged payloads, with region-specific checks to target Traditional Chinese environments....

CRESCENTHARVEST is a targeted cyberespionage campaign using protest-themed lures to infect Farsi-speaking individuals with malicious .LNK files disguised as media content. The malware, deployed via DLL sideloading with a signed Google executable, acts as a remote access trojan and information stealer capable of keylogging, command execution, and data exfiltration....

New Dohdoor Malware Campaign Targets Education and Health Care outlines a phishing-driven, multi-stage attack primarily impacting U.S. education and healthcare organizations....