Threat Research

Researchers uncovered and analyzed the full source code of an AI-driven AiTM phishing platform called “UPMI ULTIMATE,” linked to a group named “Team Unlimited.” The code was retrieved from an exposed central server that manages licensing, intelligence sharing, and remote control for all client instances....

A supply chain attack compromised the LiteLLM AI proxy package on PyPI, with malicious versions delivering a multi-stage payload that harvested credentials, enabled Kubernetes lateral movement, and established persistent backdoor access for remote code execution....

A state-sponsored threat cluster tracked as CL-STA-1087, suspected to be linked to China, has conducted a long-term cyber espionage campaign targeting military organizations in Southeast Asia since at least 2020. The attackers focused on collecting sensitive intelligence related to military capabilities, organizational structures, and cooperation with Western armed forces....

Osiris ransomware is a modern, enterprise-focused threat that conducts targeted intrusions involving deep network compromise, data exfiltration, and double-extortion tactics before encrypting victim systems....

The team observed increased threat activity matching tactics linked to previous ShinyHunters extortion campaigns. These operations rely heavily on advanced voice phishing (vishing) techniques. Attackers use victim-branded credential harvesting sites to capture SSO credentials and MFA codes. With initial access gained, they pivot into corporate cloud environments....

Between February and September 2025, multiple credential-harvesting campaigns were attributed to BlueDelta, a Russian state-sponsored threat group linked to the GRU. These operations expand on BlueDelta’s ongoing credential-theft activity previously documented in Insikt Group’s December 2025 report. During 2025, BlueDelta targeted a limited but distinct set of victims....

UAT-8837 is a China-nexus threat actor assessed with medium confidence to specialize in gaining initial access to high-value organizations, with a clear focus on critical infrastructure targets in North America since at least 2025....

GoBruteforcer is a Linux-based botnet that converts compromised servers into distributed scanners and password brute-force nodes targeting internet-exposed services such as phpMyAdmin, MySQL, PostgreSQL, and FTP....

The intrusion started with a JavaScript file linked to the Lunar Spider group, disguised as a tax form, which downloaded and executed Brute Ratel via an MSI installer. Throughout the attack, various malware strains were deployed, including Latrodectus, Brute Ratel C4, Cobalt Strike, BackConnect, and a custom .NET backdoor....

In February 2025, TA406 launched phishing campaigns against Ukrainian government entities, delivering both credential-harvesting tools and malware. Likely aimed at gathering intelligence related to the ongoing Russian invasion, TA406 is a DPRK state-sponsored threat group, also known as Opal Sleet or Konni....