Threat Research

Pawn Storm, a Russia-aligned APT group, is targeting Ukraine’s defense supply chain and allied nations. It deploys PRISMEX, a modular malware suite using steganography, COM hijacking, and cloud-based C2. The group exploited multiple flaws, including a Windows zero-day (CVE-2026-21513). Malicious .lnk files via CVE-2026-21509 may chain with CVE-2026-21513, per Akamai findings....

DarkSword is a sophisticated iOS full-chain exploit leveraging multiple zero-day vulnerabilities to fully compromise devices running iOS 18.4 to 18.7. Since late 2025, it has been used by commercial surveillance vendors and state-sponsored actors across campaigns targeting regions including Saudi Arabia, Turkey, Malaysia, and Ukraine....

Threat actors are exploiting multiple FortiGate vulnerabilities including CVE-2025-59718, CVE-2025-59719, and the recently patched CVE-2026-24858. to bypass authentication and gain administrative access to firewall devices. After access, they download configuration files containing sensitive data, including service account credentials that can be easily decrypted....

The Coruna exploit kit is a sophisticated toolkit targeting Apple iPhones running iOS 13.0 through 17.2.1, containing five full exploit chains and 23 exploits, including zero-day exploits, that leverage advanced, non-public techniques to bypass iOS security protections....

Reynolds ransomware leverages a Bring Your Own Vulnerable Driver (BYOVD) technique to neutralize endpoint security controls prior to file encryption. It drops a legitimately signed but vulnerable kernel driver, NSecKrnl.sys, and exploits CVE-2025-68947 to gain kernel-level privileges....

The intrusion started in mid-February 2024 when a threat actor exploited CVE-2023-46604 on an exposed Apache ActiveMQ server. By leveraging a Java Spring class and a custom Spring bean XML configuration, the attacker achieved remote code execution. The malicious XML executed a command that used Windows CertUtil to download a payload from a remote server....

VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731) details active exploitation of a pre-authentication RCE flaw in BeyondTrust Remote Support software that enables attackers to execute OS-level commands and fully compromise affected systems....

Two critical zero-day vulnerabilities, CVE-2026-1281 and CVE-2026-1340, are impacting Ivanti Endpoint Manager Mobile (EPMM). They are actively exploited in the wild, targeting enterprise mobile fleets and corporate networks. The flaws allow unauthenticated remote code execution on affected servers....

XWorm is a multi-functional Remote Access Trojan (RAT) first identified in 2022 and still actively distributed, including via Telegram marketplaces. Once installed, it grants attackers full remote control over compromised Windows systems. This campaign uses phishing emails with social engineering tactics to trick recipients into opening a malicious attachment....

APT28, a Russian state-sponsored threat group also known as Fancy Bear or UAC-0001, is conducting a sophisticated espionage campaign against European military and government entities. The operation primarily targets maritime and transportation organizations in Poland, Slovenia, Turkey, Greece, the UAE, and Ukraine....