Threat Research

Medusa has emerged as one of the most active ransomware-as-a-service groups, ranking among the top 10 threats in 2025 and impacting over 500 organizations by January 2026....

Researchers identified multiple attack campaigns abusing a GeoServer remote code execution flaw (CVE-2024-36401). The attackers indiscriminately scan the internet for exposed and vulnerable GeoServer instances. After gaining access, they install XMRig-based cryptocurrency miners on compromised servers....

A financially motivated threat actor deploying DeadLock ransomware has adopted new tactics, including a previously unknown BYOVD loader that exploits Baidu Antivirus driver vulnerability CVE-2024-51324 to disable EDR protections....

Despite U.S. sanctions, Intellexa continues selling its Predator spyware and remains one of the most aggressive exploit operators, rapidly developing or acquiring mobile zero-days....

A major botnet campaign, dubbed RondoDox, is actively exploiting over 50 known vulnerabilities in routers, DVRs, NVRs, CCTV systems, and web servers from more than 30 vendors. Organizations with internet-facing infrastructure face heightened risks of data theft, persistent access, and operational disruption....

Raspberry Robin, or Roshtyak, is a malicious downloader active since 2021, primarily spreading via infected USB drives. It continues to evolve with enhanced evasion techniques and improved functionality despite limited public reporting. Our previous analysis covers its core behavior, while this blog highlights recent updates and capabilities....

According to reliable third-party incident response data, threat actors exploited the listed vulnerabilities to achieve initial access, execute remote code (RCE), acquire credentials, and deploy webshells on victim networks....