Threat Research

These scam messages falsely claim a charge for a product or subscription. They include a support number for recipients to call about the charge. Scammers wait for victims to call and attempt to cancel the fake billing. The operators then request credit card or other sensitive information. Recently, these scams have increasingly used calendar invites....

A Vietnam-based threat cluster, tracked as UNC6229, is conducting fake job posting campaigns targeting digital marketing and advertising professionals. The group uses social engineering through legitimate employment platforms and fraudulent recruitment sites to deliver malware or steal credentials....

In August 2025, Labs uncovered an SEO poisoning campaign targeting Chinese-speaking users. The attackers boosted the search rankings of malicious sites using SEO plugins and registered deceptive domains that closely resembled legitimate software websites....

EvilAI disguises itself as legitimate productivity or AI tools, using professional interfaces and valid digital signatures to avoid detection. It has spread globally, with the greatest impact seen in Europe, the Americas, and the AMEA region. Targeted sectors include manufacturing, government/public services, and healthcare....

Threat actors are registering domains resembling the 2026 FIFA World Cup to host suspicious or malicious content With ticket access rolling out in phases over a year in advance, attackers are ramping up early via fraudulent sites. A spike in FIFA-related domain registrations was observed in June 2025, a year ahead of the event....

We’ve identified an SMS phishing (smishing) campaign posing as the California Franchise Tax Board. The fraudulent websites use domain names that combine terms like “FTB,” “CA,” and “gov” to deceive users. These sites falsely promise tax refunds, but their true purpose is to harvest sensitive personal information, including Social Security numbers, addresses, and payment details...

Our team discovered an Android malware, “SikkahBot,” active since July 2024, targeting students in Bangladesh. Disguised as apps from the Bangladesh Education Board, it lures users with fake scholarships to steal sensitive data....

We identified an email campaign promoting fake luxury shopping sites via enticing subject lines and links. The sites mimic legitimate stores, redirect to PayPal for payment, and show deep discounts on luxury items. Domains are tied to malicious IPs, mostly in Vietnam (AS 149137, AS 149123, AS 149125), and hosted via US-based cloud providers....

RedHook is a sophisticated Android banking trojan targeting Vietnamese users via fake government and financial websites. It uses WebSocket to connect to its command server and supports over 30 remote commands for full device control. Developed likely by a Chinese-speaking group, it remains stealthy with low antivirus detection....

A variant of the Android-based Remote Access Trojan (RAT) known as SpyMax is currently being distributed through social engineering campaigns. Cybercriminals are targeting mobile users by spreading fake apps—such as counterfeit versions of Telegram or wedding invitation apps—via messaging platforms like WhatsApp....