Threat Research

Pawn Storm, a Russia-aligned APT group, is targeting Ukraine’s defense supply chain and allied nations. It deploys PRISMEX, a modular malware suite using steganography, COM hijacking, and cloud-based C2. The group exploited multiple flaws, including a Windows zero-day (CVE-2026-21513). Malicious .lnk files via CVE-2026-21509 may chain with CVE-2026-21513, per Akamai findings....

Boggy Serpens (also known as MuddyWater), an Iranian state-linked threat group associated with MOIS, continues to conduct cyberespionage campaigns targeting diplomatic entities and critical infrastructure sectors such as energy, maritime, and finance....

Since at least 2020, we have observed a cluster of activity targeting high-value organizations across South, Southeast, and East Asia. The attacks focus on critical sectors including aviation, energy, government, law enforcement, pharmaceutical, technology, and telecommunications. This ongoing and previously undocumented activity is being tracked as CL-UNK-1068....

A dramatic and dangerous phase in Middle Eastern geopolitics has begun with open conflict between Iran, Israel, and the United States. Last week, U.S. and Israeli forces launched Operation Lion’s Roar, targeting Iranian military and nuclear facilities. Iran responded with retaliation, escalating the conflict across the region....

On 28 February 2026, U.S. and Israeli forces launched combined air and cyber attacks that disrupted Iranian communications networks and critical systems....

The Shadow Campaigns reveal a highly sophisticated, state-aligned cyberespionage group tracked as TGR-STA-1030, assessed to operate out of Asia and responsible for extensive compromises of government and critical infrastructure organizations worldwide....

UAT-8837 is a China-nexus threat actor assessed with medium confidence to specialize in gaining initial access to high-value organizations, with a clear focus on critical infrastructure targets in North America since at least 2025....

UAT-7290 is a sophisticated threat actor active since at least 2022, focused on gaining initial access and conducting espionage against high-value telecommunications and critical infrastructure targets in South Asia....

RansomHouse is a ransomware-as-a-service operation run by the group known as Jolly Scorpius. Recent malware samples show a major upgrade in the group’s encryption capabilities. This analysis examines the encryption changes and their implications for defenders. Jolly Scorpius employs a double extortion model, combining data theft with file encryption....

Silent Lynx is an espionage-driven APT group known for spear-phishing campaigns impersonating government officials to target Central Asian, Russian, and Southeast Asian entities. Recent analysis shows the group’s slow tactical evolution, using fake RAR archives and malicious .NET implants, while making operational errors that exposed new infrastructure....