Threat Research

Threat actors are exploiting multiple FortiGate vulnerabilities including CVE-2025-59718, CVE-2025-59719, and the recently patched CVE-2026-24858. to bypass authentication and gain administrative access to firewall devices. After access, they download configuration files containing sensitive data, including service account credentials that can be easily decrypted....

Reynolds ransomware leverages a Bring Your Own Vulnerable Driver (BYOVD) technique to neutralize endpoint security controls prior to file encryption. It drops a legitimately signed but vulnerable kernel driver, NSecKrnl.sys, and exploits CVE-2025-68947 to gain kernel-level privileges....

Labs identified a web shell dubbed “EncystPHP” with advanced capabilities such as remote command execution, persistence, and web shell deployment. The attacks began in early December last year and spread through exploitation of the FreePBX vulnerability CVE-2025-64328. The activity is linked to the hacker group INJ3CTOR3, first observed in 2020 targeting CVE-2019-19006....

Multiple threat actors, including Russia- and China-linked state-sponsored groups as well as financially motivated attackers, are actively exploiting the critical CVE-2025-8088 flaw in WinRAR. The vulnerability, patched in July 2025, allows path traversal to drop malicious files into the Windows Startup folder, enabling persistence and payload delivery....

UAT-8837 is a China-nexus threat actor assessed with medium confidence to specialize in gaining initial access to high-value organizations, with a clear focus on critical infrastructure targets in North America since at least 2025....

Medusa has emerged as one of the most active ransomware-as-a-service groups, ranking among the top 10 threats in 2025 and impacting over 500 organizations by January 2026....

Since December 2025, multiple incidents in Japan have been linked to the exploitation of React2Shell (CVE-2025-55182), a remote code execution flaw affecting React and Next.js applications. While most attacks deployed coin miners, investigators identified a previously undocumented malware named ZnDoor....

Identifies suspicious child processes launched by Node.js server processes on Windows, which may signal exploitation of vulnerabilities such as CVE-2025-55182 (React2Shell)....

On December 3, 2025, a critical unauthenticated RCE vulnerability in React Server Components, tracked as CVE-2025-55182 (“React2Shell”), was publicly disclosed. Shortly thereafter, the team observed widespread exploitation by diverse threat actors, from cybercriminals to suspected espionage groups....

A critical React Server Components vulnerability, CVE-2025-55182, allows unauthenticated remote code execution and has already been exploited in the wild. Attackers have conducted automated scanning, reconnaissance, credential theft, and deployed malicious scripts, droppers, and reverse shells, including activity linked to a PRC-associated access broker....