Threat Research

FIN7 has been active since at least 2013, previously targeting sectors such as retail, hospitality, and financial services. The group shifted its monetization strategy from POS malware to big-game-hunting ransomware over time. Although widely analyzed, the malware’s code has changed very little since its early versions....

The report explores the growing collaboration between China-aligned APT groups, particularly Earth Estries and Earth Naga, in a trend dubbed “Premier Pass-as-a-Service.” This model involves one group, like Earth Estries, acting as an access broker for another, such as Earth Naga, to enable continued exploitation of targets....

PhantomCard is an Android malware used in NFC relay attacks (ghost tapping) to steal payment card data and commit fraud at ATMs and POS terminals. It's spread via Telegram and possibly the Google Play Store, and is linked to Chinese-speaking cybercriminals targeting financial and retail sectors....

Since early August 2025, a sophisticated malvertising campaign has been observed where attackers abuse GitHub’s repository forking system to deliver a fake GitHub Desktop client. The attackers create dangling commits by forking legitimate repositories, injecting malicious commits, and then deleting the fake user accounts....

"Unmasking the new persistent attacks on Japan" reveals an ongoing cyber campaign targeting Japanese organizations across various sectors across various business verticals, including technology, telecommunications, entertainment, education, and e-commerce, based on our analysis of command and control (C2) server artefacts....

"DragonForce Ransomware Group is Targeting Saudi Arabia" highlights a recent ransomware attack by DragonForce, which targeted organizations in the Kingdom of Saudi Arabia (KSA). A major incident involved a data breach at a prominent Riyadh real estate and construction company....

Zloader (also known as Terdot, DELoader, or Silent Night) is a modular Trojan derived from the leaked Zeus source code, first appearing in 2015....

We have identified sophisticated phishing activities that create customized fake login pages using the victim's email address. This system generates deceptive login pages for various commercial, educational, government, and nonprofit organizations....

In July 2024, Palo Alto Networks identified Lynx ransomware, a successor to the earlier INC ransomware. Active in targeting sectors like retail, real estate, and finance in the U.S. and UK, Lynx shares significant source code with INC, which first appeared in August 2023. While Lynx currently has known Windows samples, Linux variants have yet to be confirmed....