Threat Research

The Notepad++ supply chain attack exploited a compromised update infrastructure to deliver malicious updates through multiple, constantly rotating execution chains, C2 servers, and payloads....

UAT-8099 is an active threat actor targeting vulnerable Internet Information Services (IIS) servers across Asia, with a strong focus on Thailand and Vietnam from late 2025 to early 2026. The campaign shows significant overlap with the WEBJACK operation, sharing malware hashes, C2 infrastructure, and victimology....

A Vietnam-based threat cluster, tracked as UNC6229, is conducting fake job posting campaigns targeting digital marketing and advertising professionals. The group uses social engineering through legitimate employment platforms and fraudulent recruitment sites to deliver malware or steal credentials....

UAT-8099 is a Chinese-speaking cybercrime group targeting high-value IIS servers in countries like India, Thailand, Vietnam, Canada, and Brazil to conduct SEO fraud and steal credentials, config files, and certificates. They use web shells, Cobalt Strike, and BadIIS malware to manipulate search rankings and maintain persistence....

We identified an email campaign promoting fake luxury shopping sites via enticing subject lines and links. The sites mimic legitimate stores, redirect to PayPal for payment, and show deep discounts on luxury items. Domains are tied to malicious IPs, mostly in Vietnam (AS 149137, AS 149123, AS 149125), and hosted via US-based cloud providers....

RedHook is a sophisticated Android banking trojan targeting Vietnamese users via fake government and financial websites. It uses WebSocket to connect to its command server and supports over 30 remote commands for full device control. Developed likely by a Chinese-speaking group, it remains stealthy with low antivirus detection....

Since mid-2024, the cyber threat group UNC6032 has exploited public interest in AI tools by creating fake websites that mimic popular AI video generators like Luma AI and Canva Dream Lab. These fraudulent sites are promoted through deceptive ads on platforms such as Facebook and LinkedIn, distributing malware including Python-based infostealers and backdoors....

The Earth Kurma APT campaign targets government and telecommunications sectors in Southeast Asia, particularly in the Philippines, Vietnam, Thailand, and Malaysia. This sophisticated attack uses advanced malware, including custom rootkits and cloud storage for data exfiltration....

A newly identified botnet called RustoBot is spreading through TOTOLINK routers using Rust, a programming language known for its speed and security. RustoBot exploits command injection vulnerabilities in the cstecgi.cgi script, including CVE-2022-26210 and CVE-2022-26187, to achieve remote code execution....

Lotus Blossom (aka Spring Dragon, Billbug, Thrip) is an espionage group active since 2012. Our assessment links the group's campaigns through shared TTPs, backdoors, and victim profiles. Since at least 2016, Lotus Blossom has used the Sagerunex backdoor, increasingly leveraging persistent command shells and evolving new Sagerunex variants....