Threat Research

VoidLink is a sophisticated malware framework composed of custom loaders, implants, rootkits, and modular plugins that enable persistent access to Linux systems. It is built to function reliably in cloud and containerized environments, with a strong focus on long-term operations....

UAT-8099 is a Chinese-speaking cybercrime group targeting high-value IIS servers in countries like India, Thailand, Vietnam, Canada, and Brazil to conduct SEO fraud and steal credentials, config files, and certificates. They use web shells, Cobalt Strike, and BadIIS malware to manipulate search rankings and maintain persistence....

The intrusion started with a JavaScript file linked to the Lunar Spider group, disguised as a tax form, which downloaded and executed Brute Ratel via an MSI installer. Throughout the attack, various malware strains were deployed, including Latrodectus, Brute Ratel C4, Cobalt Strike, BackConnect, and a custom .NET backdoor....

UAT-7237 is a Chinese-speaking APT group active since at least 2022, with strong links to UAT-5918. It recently targeted web infrastructure entities in Taiwan, using heavily customized open-source tools to evade detection and maintain long-term persistence in high-value environments....

Between March and June 2025, multiple China-aligned threat actors intensified cyber espionage efforts against Taiwan’s semiconductor industry. Groups such as UNK_FistBump, UNK_DropPitch, and UNK_SparkyCarp launched phishing campaigns delivering tools like Cobalt Strike, the Voldemort backdoor, and AiTM phishing kits....

A new wave of SquidLoader malware is actively targeting financial institutions in Hong Kong. This advanced malware demonstrates strong evasion techniques, showing near-zero detection of VirusTotal during analysis. SquidLoader’s attack chain leads to the deployment of a Cobalt Strike Beacon, enabling remote access and control....

This report examines a recent ransomware attack by the BlackSuit group, a successor to the Royal ransomware family. Known for its hybrid tactics, BlackSuit combines data exfiltration with encryption, using advanced tools like PsExec, Cobalt Strike, RDP, and rclone to execute commands, move laterally, and extract data....

A Chinese-speaking threat group, tracked as UAT-6382, is exploiting a zero-day vulnerability (CVE-2025-0994) in Cityworks, a popular asset management system, to gain remote code execution. The attackers deploy web shells such as AntSword and Chopper on IIS servers....

"Operator Bloopers: Cobalt Strike Commands" refers to the accidental use of Cobalt Strike commands in the CMD shell, which can potentially expose the attacker's activities. These mistakes may lead to detection by security systems and compromise the stealth of the operation....

This intrusion began in late January 2024 when a user downloaded and executed a file named setup_wm.exe, which mimicked the legitimate Microsoft Windows Media Configuration Utility. The file was actually a Cobalt Strike beacon, establishing an outbound connection upon execution....