Threat Research

Researchers are tracking ongoing Contagious Interview campaign activity by NICKEL ALLEY, a North Korea–linked threat group. The group targets tech professionals using fake job postings and deceptive interview processes. Victims are tricked into downloading malware during these staged recruitment steps....

Since at least 2020, we have observed a cluster of activity targeting high-value organizations across South, Southeast, and East Asia. The attacks focus on critical sectors including aviation, energy, government, law enforcement, pharmaceutical, technology, and telecommunications. This ongoing and previously undocumented activity is being tracked as CL-UNK-1068....

Seedworm (also known as MuddyWater) has been observed conducting cyber espionage activities against multiple organizations in the United States and Canada since early 2026. Targeted entities include a U.S. bank, airport, defense-related software company, and non-profit organizations....

Two critical zero-day vulnerabilities, CVE-2026-1281 and CVE-2026-1340, are impacting Ivanti Endpoint Manager Mobile (EPMM). They are actively exploited in the wild, targeting enterprise mobile fleets and corporate networks. The flaws allow unauthenticated remote code execution on affected servers....

Stan Ghouls (also known as Bloody Wolf) is a cybercriminal group active since at least 2023, conducting highly targeted campaigns primarily against manufacturing, finance, and IT organizations across Russia and Central Asia....

The Notepad++ supply chain attack exploited a compromised update infrastructure to deliver malicious updates through multiple, constantly rotating execution chains, C2 servers, and payloads....

Evelyn Stealer is a multistage information-stealing campaign that abuses the Visual Studio Code extension ecosystem to compromise software developers....

UNG0801 is a persistent threat cluster originating from Western Asia that targets enterprise organizations in Israel using Hebrew-language phishing lures disguised as routine internal communications. The campaigns heavily rely on antivirus icon spoofing, abusing trusted brands such as SentinelOne and Check Point to gain user trust....

In August 2025, an intrusion targeting an Asian subsidiary of a major European manufacturer was investigated and assessed as likely carried out by the North Korea–linked group UNC2970, aligning with Operation DreamJob. The attack began with a targeted WhatsApp message to a project engineer and used variants of the BURNBOOK loader and MISTPEN backdoor....

A highly automated, multi-stage phishing kit has been uncovered impersonating the major Italian IT provider Aruba S.p.A., a company central to Italy’s digital infrastructure. The kit uses CAPTCHA filtering, data pre-filling, and Telegram-based exfiltration to steal credentials and payment information efficiently and stealthily....