Threat Research

A targeted campaign is using phishing emails with fake resume (CV) attachments to infect French-speaking corporate environments with heavily obfuscated VBScript malware....

Malicious OpenClaw Skills Used to Distribute Atomic macOS Stealer describes a campaign in which threat actors shifted Atomic (AMOS) Stealer from cracked software distribution to a supply chain-style attack targeting AI agentic workflows on platforms like OpenClaw....

XWorm v7 RAT is a modular, malware-as-a-service Remote Access Trojan active since 2022, widely adopted by cybercriminals for its ease of deployment and extensive post-compromise capabilities....

A software supply chain attack targeted users of EmEditor by distributing a compromised installer that delivered multistage information-stealing malware. The malicious installer enabled credential theft, data exfiltration, and lateral movement, while delaying execution of malicious behavior to evade early detection....

Between February and September 2025, multiple credential-harvesting campaigns were attributed to BlueDelta, a Russian state-sponsored threat group linked to the GRU. These operations expand on BlueDelta’s ongoing credential-theft activity previously documented in Insikt Group’s December 2025 report. During 2025, BlueDelta targeted a limited but distinct set of victims....

CastleLoader is a stealthy first-stage malware used in attacks against government organizations and various industries. It employs a multi-stage execution chain—Inno Setup, AutoIt, and process hollowing—to bypass security defenses. The final payload is deployed only in memory after process manipulation, evading traditional static detection....

The StopRansomware: Akira Ransomware advisory warns of Akira’s expanding operations, including new activity as of Nov. 13, 2025, targeting Windows, Linux, and virtualization platforms....

The Lynx ransomware intrusion began with an RDP login using stolen credentials, quickly followed by lateral movement to a domain controller using a compromised admin account. The attacker created multiple impersonation-style privileged accounts, mapped virtualization systems and file shares, and gathered sensitive data before exfiltrating it via temp.sh....

A Vietnam-based threat cluster, tracked as UNC6229, is conducting fake job posting campaigns targeting digital marketing and advertising professionals. The group uses social engineering through legitimate employment platforms and fraudulent recruitment sites to deliver malware or steal credentials....

SmokeLoader (also known as Smoke or Dofoil) is a long-standing modular malware loader active since 2011, primarily used to deliver second-stage payloads like trojans, ransomware, and info stealers. It features a plugin-based architecture enabling credential theft, browser hijacking, crypto mining, and DDoS attacks....