Threat Research

The threat actor gains initial access through vishing attacks, impersonating internal IT staff to trick victims into entering their credentials and MFA codes on phishing pages. Once access is obtained, the actor quickly identifies and exfiltrates sensitive data from cloud services such as SharePoint and OneDrive, a tactic commonly observed among Com-affiliated groups....

TUXBOT v3 Evolution, also known as Akiru, is a previously undocumented modular IoT botnet framework designed for large-scale device compromise and DDoS-for-hire operations. The framework targets multiple IoT device families through vulnerability exploitation and extensive Telnet brute-forcing, supporting numerous hardware architectures and encrypted C2 communications....

First VPN Service was a criminally oriented VPN infrastructure that operated for over a decade and was widely used by ransomware groups and other cybercriminals to conduct network reconnaissance, intrusions, scanning, botnet activity, denial-of-service attacks, and scams....

IoT devices are increasingly targeted for large-scale attacks due to widespread use, poor patching, and weak security. Threat actors exploit known vulnerabilities to gain access and deploy persistent malware. These infections can spread across devices and enable DDoS attacks. A recent campaign abused CVE-2024-3721 in TBK DVR devices to deliver the Nexcorium Mirai variant....

Masjesu is a commercially operated IoT botnet active since 2023, offering DDoS-for-hire services through Telegram. It targets a wide range of routers and embedded devices across multiple architectures, using vulnerability exploitation and scanning for propagation....

Recent escalations between Iran, the U.S., and Israel have coincided with increased cyber threat activity across the Middle East. Destructive incidents, including kinetic attacks affecting AWS data centers in the UAE and Bahrain, have disrupted regional cloud services....

XWorm v7 RAT is a modular, malware-as-a-service Remote Access Trojan active since 2022, widely adopted by cybercriminals for its ease of deployment and extensive post-compromise capabilities....

An active Linux-targeting campaign is deploying a Mirai-derived botnet called V3G4, now enhanced with a stealthy, fileless-configured XMRig Monero cryptominer....

SmokeLoader (also known as Smoke or Dofoil) is a long-standing modular malware loader active since 2011, primarily used to deliver second-stage payloads like trojans, ransomware, and info stealers. It features a plugin-based architecture enabling credential theft, browser hijacking, crypto mining, and DDoS attacks....

A sophisticated new infostealer and botnet called "Cyber Stealer" was discovered by the Threat Response Unit in May 2025. This multi-functional malware operates on a tiered subscription model with three packages—Regular, Premium, and VIP—offering escalating features from basic stealing to advanced capabilities like DDoS attacks, cryptocurrency mining, and DNS poisoning....