Threat Research

Security researchers have discovered OverlayPhantom, a new Android banking trojan spreading through malicious URLs. The malware utilizes a two-stage infection process, relying on dropper apps that impersonate trusted platforms like TikTok and the Austrian government’s "ID Austria" app to trick users....

The Xinference PyPI supply chain attack involved malicious package versions (2.6.0–2.6.2) that executed hidden, obfuscated code when imported. The payload used techniques like base64 encoding to evade detection and silently run in the background....

CrySome RAT represents a modular, userland-focused post-exploitation framework emphasizing persistence, evasion, and operator control(Keylogger, Credential harvesting, RDP, HVNC). While it does not exhibit kernel-level sophistication, its combination of defense evasion techniques and surveillance capabilities makes it effective against poorly monitored environments....

Researchers uncovered and analyzed the full source code of an AI-driven AiTM phishing platform called “UPMI ULTIMATE,” linked to a group named “Team Unlimited.” The code was retrieved from an exposed central server that manages licensing, intelligence sharing, and remote control for all client instances....

A supply chain attack compromised the LiteLLM AI proxy package on PyPI, with malicious versions delivering a multi-stage payload that harvested credentials, enabled Kubernetes lateral movement, and established persistent backdoor access for remote code execution....

A state-sponsored threat cluster tracked as CL-STA-1087, suspected to be linked to China, has conducted a long-term cyber espionage campaign targeting military organizations in Southeast Asia since at least 2020. The attackers focused on collecting sensitive intelligence related to military capabilities, organizational structures, and cooperation with Western armed forces....

Osiris ransomware is a modern, enterprise-focused threat that conducts targeted intrusions involving deep network compromise, data exfiltration, and double-extortion tactics before encrypting victim systems....

The team observed increased threat activity matching tactics linked to previous ShinyHunters extortion campaigns. These operations rely heavily on advanced voice phishing (vishing) techniques. Attackers use victim-branded credential harvesting sites to capture SSO credentials and MFA codes. With initial access gained, they pivot into corporate cloud environments....

Between February and September 2025, multiple credential-harvesting campaigns were attributed to BlueDelta, a Russian state-sponsored threat group linked to the GRU. These operations expand on BlueDelta’s ongoing credential-theft activity previously documented in Insikt Group’s December 2025 report. During 2025, BlueDelta targeted a limited but distinct set of victims....

UAT-8837 is a China-nexus threat actor assessed with medium confidence to specialize in gaining initial access to high-value organizations, with a clear focus on critical infrastructure targets in North America since at least 2025....