Threat Research

In today’s evolving cybercrime landscape, attackers seek the “perfect” malware—lightweight, modular, and highly stealthy. Underground markets quickly adopt tools that offer strong capabilities while maintaining low detection rates. XWorm has become a leading example of this trend....

Researchers identified a new malware-as-a-service (MaaS) posing as a legitimate remote monitoring and management (RMM) tool called TrustConnect. Its so-called business website—likely auto-generated—actually serves as the login portal for the malware platform....

XWorm v7 RAT is a modular, malware-as-a-service Remote Access Trojan active since 2022, widely adopted by cybercriminals for its ease of deployment and extensive post-compromise capabilities....

Matanbuchus is a C++-based malicious downloader offered as Malware-as-a-Service since 2020. It has evolved through multiple development stages, with version 3.0 observed in the wild in July 2025. The malware allows attackers to deploy additional payloads and execute hands-on keyboard activity via shell commands....

SantaStealer is a newly emerging malware-as-a-service infostealer promoted on Telegram and underground forums, with a planned release before the end of 2025. Recently rebranded from BluelineStealer, it is designed to steal credentials, documents, wallets, and application data while operating entirely in memory to evade detection....

PhantomVAI Loader is a stealthy, multi-stage loader propagated via phishing that uses obfuscated scripts and steganography to hide payloads. Originally called Katz Stealer Loader for delivering Katz Stealer, it has evolved to deliver multiple infostealers (including Katz, AsyncRAT, XWorm, FormBook and DCRat) and is offered as malware-as-a-service....

After being taken down in May, Lumma Stealer quickly resurfaced. Between June and July, attacks surged again, now using stealthier delivery channels and evasion techniques. This malware can extract sensitive data like credentials and private files, and its availability as malware-as-a-service (MaaS) makes it accessible even to low-skilled attackers....

Our team has identified a newly rebranded information stealer named Amatera Stealer, derived from ACR Stealer and delivered through complex web inject-based attack chains. Much of its code overlaps with known ACR Stealer samples, and it is currently offered as a malware-as-a-service (MaaS) and remains under active development....

DanaBot is a Malware-as-a-Service (MaaS) platform active since 2018, operating through an affiliate model where the developer provides the malware, C2 infrastructure, and support. Affiliates use DanaBot for credential theft, banking fraud, and other malicious activities....

On May 22, 2025, Our team revealed further actions tied to Operation Endgame, aimed at disrupting cybercriminal groups like those behind DanaBot. This follows the original 2024 effort that targeted malware such as SmokeLoader, IcedID, and Pikabot....