Threat Research

Pawn Storm, a Russia-aligned APT group, is targeting Ukraine’s defense supply chain and allied nations. It deploys PRISMEX, a modular malware suite using steganography, COM hijacking, and cloud-based C2. The group exploited multiple flaws, including a Windows zero-day (CVE-2026-21513). Malicious .lnk files via CVE-2026-21509 may chain with CVE-2026-21513, per Akamai findings....

The report highlights a rise in model extraction (“distillation”) attacks aimed at stealing proprietary AI logic, alongside the growing integration of generative AI into real-world threat operations....

Stan Ghouls (also known as Bloody Wolf) is a cybercriminal group active since at least 2023, conducting highly targeted campaigns primarily against manufacturing, finance, and IT organizations across Russia and Central Asia....

APT28, a Russian state-sponsored threat group also known as Fancy Bear or UAC-0001, is conducting a sophisticated espionage campaign against European military and government entities. The operation primarily targets maritime and transportation organizations in Poland, Slovenia, Turkey, Greece, the UAE, and Ukraine....

Rublevka Team is a large-scale, affiliate-driven crypto-theft operation active since 2023 that has generated over $10 million by luring victims with fake promotions or airdrops and tricking them into signing wallet-draining transactions....

In January 2026, Uncovered an in-the-wild campaign dubbed Operation Neusploit targeting Central and Eastern Europe. The attackers used malicious Microsoft RTF files to exploit CVE-2026-21509 and deploy backdoors via a multi-stage infection chain....

Multiple threat actors, including Russia- and China-linked state-sponsored groups as well as financially motivated attackers, are actively exploiting the critical CVE-2025-8088 flaw in WinRAR. The vulnerability, patched in July 2025, allows path traversal to drop malicious files into the Windows Startup folder, enabling persistence and payload delivery....

Labs have uncovered a multi-stage malware campaign mainly targeting users in Russia. The attack starts with social engineering via business-themed documents that appear routine and harmless. These files distract victims with fake tasks or status messages while malicious processes run in the background....

PHALT#BLYX is a multi-stage malware campaign targeting the hospitality sector that relies on click-fix social engineering, fake CAPTCHAs, and fake BSOD pages delivered via Booking.com–themed phishing lures....

UAC-0184, also known as Hive0156, is a Russia-aligned threat actor that conducts cyber operations against Ukraine using commercially available malware and lure documents. The group primarily targets Ukrainian military personnel by distributing weaponized LNK files or PowerShell scripts that result in Remcos malware infections....