Threat Research

In late February 2026, analysts detected malicious activity on Android devices linked to the Keenadu backdoor. Keenadu is a firmware-level infection embedded in libandroid_runtime.so, injecting itself into the Zygote process. Since Zygote spawns all apps, this gives attackers near-total control over infected devices....

Identity compromise remains a major threat to cloud infrastructure, allowing attackers with valid credentials to evade traditional security controls. In AWS, such compromises often involve abuse of the Simple Email Service (SES) for illicit email operations. Recent investigations revealed a campaign where stolen AWS credentials were used to exploit SES....

Since April 2025, we've observed a surge in email phishing targeting Japanese speakers. These campaigns impersonate companies like Amazon, Apple, and Japan Airlines. Emails often appear as fake purchase notices or safety alerts with convincing phishing links. Early attacks included fake Amazon CAPTCHA pages to steal user credentials....

Our team has observed a surge in large-scale phishing campaigns written in Japanese, primarily targeting organizations in Japan using a phishing kit known as CoGUI. These campaigns often impersonate well-known consumer and payment brands like Amazon, PayPay, and Rakuten. CoGUI is a stealthy phishing framework designed to evade detection, with Japan being its main focus....

We recently analyzed 31 PDF files containing links to phishing sites impersonating Amazon. Notably, none of these PDFs had been submitted to VirusTotal at the time of discovery. The initial URLs in the PDFs redirect to subdomains of duckdns[.]org, which host the phishing websites....

With smartphones playing a central role in daily life, malicious apps have become more deceptive and sophisticated. Recently, we identified a seemingly innocent app called “BMI CalculationVsn” on the Amazon Appstore, which secretly stole package names of installed apps and intercepted incoming SMS messages while posing as a health tool....