Threat Research

A targeted campaign is using phishing emails with fake resume (CV) attachments to infect French-speaking corporate environments with heavily obfuscated VBScript malware....

ShadowHS is a stealth-focused, fileless Linux intrusion framework derived from the original hackshell utility and designed for long-term, interactive operator control. It executes entirely in memory using a highly obfuscated loader, leaving no disk artifacts while prioritizing host fingerprinting, defensive evasion, and operator safety before enabling higher-risk actions....

Tangerine Turkey utilizes VBScript-based worms that propagate laterally through removable media such as USB drives. The group relies on living-off-the-land binaries (LOLBins), including wscript.exe and printui.exe, to execute payloads and maintain persistence. To evade detection, they alter registry settings and disguise malicious executables as legitimate system files....

Since December 2025, multiple incidents in Japan have been linked to the exploitation of React2Shell (CVE-2025-55182), a remote code execution flaw affecting React and Next.js applications. While most attacks deployed coin miners, investigators identified a previously undocumented malware named ZnDoor....

An active Linux-targeting campaign is deploying a Mirai-derived botnet called V3G4, now enhanced with a stealthy, fileless-configured XMRig Monero cryptominer....

SmokeLoader (also known as Smoke or Dofoil) is a long-standing modular malware loader active since 2011, primarily used to deliver second-stage payloads like trojans, ransomware, and info stealers. It features a plugin-based architecture enabling credential theft, browser hijacking, crypto mining, and DDoS attacks....

A sophisticated new infostealer and botnet called "Cyber Stealer" was discovered by the Threat Response Unit in May 2025. This multi-functional malware operates on a tiered subscription model with three packages—Regular, Premium, and VIP—offering escalating features from basic stealing to advanced capabilities like DDoS attacks, cryptocurrency mining, and DNS poisoning....

We recently investigated a cluster of VPSs used for Monero mining, linked to updated samples from past H2miner campaigns. H2miner, active since late 2019, is a crypto-mining botnet, while Lcryx (aka Lcrypt0rx) is a VBScript-based ransomware first seen in November 2024....

Cybercriminals have crafted a new attack method that leverages misconfigured Docker remote APIs and the Tor network to conduct covert cryptocurrency mining. Once inside containerized environments, attackers use Tor to conceal their operations while deploying crypto miners....

Outlaw, also known as "Dota," is a Perl-based crypto-mining botnet targeting Linux systems by exploiting weak or default SSH credentials. While previously observed in honeypots, a recent real-world incident in Brazil highlights its continued effectiveness....