Threat Research

North Korean threat actors continue to refine their tactics to target cryptocurrency and DeFi organizations. A recent investigation examined an intrusion against a FinTech entity in this sector. The activity was attributed to UNC1069, a financially motivated threat actor active since at least 2018....

Rublevka Team is a large-scale, affiliate-driven crypto-theft operation active since 2023 that has generated over $10 million by luring victims with fake promotions or airdrops and tricking them into signing wallet-draining transactions....

Evelyn Stealer is a multistage information-stealing campaign that abuses the Visual Studio Code extension ecosystem to compromise software developers....

Tangerine Turkey utilizes VBScript-based worms that propagate laterally through removable media such as USB drives. The group relies on living-off-the-land binaries (LOLBins), including wscript.exe and printui.exe, to execute payloads and maintain persistence. To evade detection, they alter registry settings and disguise malicious executables as legitimate system files....

Researchers identified multiple attack campaigns abusing a GeoServer remote code execution flaw (CVE-2024-36401). The attackers indiscriminately scan the internet for exposed and vulnerable GeoServer instances. After gaining access, they install XMRig-based cryptocurrency miners on compromised servers....

On September 8, 2025, a threat actor hijacked the NPM account of developer “qix” (Josh Junon) through a phishing email impersonating NPM Support. After stealing credentials via a fake NPM login page, the attacker injected a JavaScript clipper into 20 popular NPM packages, redirecting cryptocurrency transactions to attacker-controlled wallets....

BlueNoroff (also known as APT38, Sapphire Sleet, and TA444) — a financially motivated North Korean threat group — continues its SnatchCrypto operation, targeting blockchain developers and Web3 executives. The group has evolved its tactics with new infiltration methods and malware families....

Astaroth is a stealthy banking trojan that has evolved to become more resilient by abusing GitHub. Instead of relying solely on traditional command-and-control (C2) servers, it uses GitHub repositories to host malware configurations, allowing it to stay active even when C2 infrastructure is taken down....

SORVEPOTEL has been found spreading across Windows systems, accompanied by a message prompting users to open it on a desktop—indicating that the attackers are likely targeting enterprise environments....

On September 15, attackers launched a targeted phishing campaign to compromise NPM maintainer accounts and inject malicious code into popular JavaScript packages. The attack enabled supply chain compromise, affecting key packages used in application development and cryptography....