Threat Research

Boggy Serpens (also known as MuddyWater), an Iranian state-linked threat group associated with MOIS, continues to conduct cyberespionage campaigns targeting diplomatic entities and critical infrastructure sectors such as energy, maritime, and finance....

Since at least 2020, we have observed a cluster of activity targeting high-value organizations across South, Southeast, and East Asia. The attacks focus on critical sectors including aviation, energy, government, law enforcement, pharmaceutical, technology, and telecommunications. This ongoing and previously undocumented activity is being tracked as CL-UNK-1068....

Rising tensions between the United States, Israel, and Iran have increased the likelihood of cyber operations accompanying military activity. Iranian state-aligned threat actors have historically targeted sectors such as energy, financial services, government, and defense to weaken response capabilities before or during conflict....

Between February and September 2025, multiple credential-harvesting campaigns were attributed to BlueDelta, a Russian state-sponsored threat group linked to the GRU. These operations expand on BlueDelta’s ongoing credential-theft activity previously documented in Insikt Group’s December 2025 report. During 2025, BlueDelta targeted a limited but distinct set of victims....

During October and November 2025, a series of campaigns targeting the energy, defense, pharmaceutical, and cybersecurity sectors displayed traits consistent with earlier operations linked to Void Rabisu (also known as ROMCOM, Tropical Scorpius, or Storm-0978)....

As of mid-September 2025, GOLD SALEM has named 60 victims, placing it mid-tier among active ransomware groups. Its targets range from small entities to major multinational firms across North America, Europe, and South America. Consistent with typical ransomware behavior, the group has mostly avoided victims in China and Russia....

A new cyber-espionage campaign dubbed Operation BarrelFire has been uncovered, attributed to a newly tracked threat group named Noisy Bear. Active since April 2025, Noisy Bear has primarily targeted entities in Kazakhstan's Oil and Gas sector, including KazMunaiGas (KMG). The attack begins with a phishing email containing a ZIP file disguised as an internal KMG document....

A newly identified threat actor group, Curly COMrades, is targeting critical organizations in geopolitically sensitive regions, including government bodies in Georgia and an energy company in Moldova. Believed to support Russian interests, the group aims to maintain long-term access, steal credentials, and exfiltrate data....

A recent Android phishing campaign targeting Indian users disguises itself as a government electricity subsidy service. The attackers use social engineering tactics, including YouTube videos, fake government-like websites, and a GitHub-hosted malicious APK, to trick users into installing malware....

CVE-2025-53770 and CVE-2025-53771 impact on-premise Microsoft SharePoint Servers, enabling malicious file uploads and cryptographic key theft. These evolved from earlier flaws (CVE-2025-49704/49706), where incomplete patches left systems vulnerable to unauthenticated RCE via deserialization and ViewState abuse....