Threat Research

Cybercriminals are exploiting the heightened political tensions in the Middle East to launch opportunistic cyber campaigns using conflict-themed lures. Thousands of newly registered domains related to the conflict have been identified, many of which may be used for future malicious activity such as phishing, scams, and malware distribution....

Amadey is a malware loader active since 2018, commonly used to deploy second-stage payloads and infostealers. Historically, it has distributed payloads via GitHub repositories. Recent activity reveals a new campaign abusing a compromised, self-hosted GitLab instance to deliver the StealC infostealer....

On October 6, 2025, the developer “Loadbaks” released Vidar Stealer v2.0 on underground forums. The malware was rewritten entirely in C, improving speed and efficiency through a multithreaded architecture. Its launch coincided with a decline in Lumma Stealer activity, driving threat actors toward Vidar and StealC....

Cybercriminals are leveraging social media platforms to distribute malware by disguising it as cracked versions of popular software. Victims are lured to download ZIP files containing password-protected 7-Zip archives, with the passwords often displayed in the file names or download pages. These campaigns frequently use non-ASCII characters in file names to evade detection....

A new social engineering campaign leverages TikTok to spread Vidar and StealC stealers via videos instructing users to run disguised PowerShell commands. Some clips, possibly AI-generated, have reached over 500,000 views, increasing the threat’s exposure. This can lead to credential theft and system compromise for businesses....

A new loader has been identified leveraging the Pascal scripting engine in Inno Setup. It is used to distribute infostealers such as LummaC2, DeerStealer, Rhadamanthys, and StealC. Typically spread via fake application websites, the loader features anti-VM capabilities, XOR-based string encryption, and retrieves payloads from TinyURL using an authentication token....

The report examines the rapid evolution of the StealC malware, with a focus on version 2 (released in March 2025). Notable upgrades include a streamlined C2 protocol, RC4 encryption, and new payload delivery options such as MSI packages and PowerShell scripts. A revamped control panel enables tailored payload deployment based on geolocation, HWID, and installed software....

SmartApeSG is also referred to as ZPHP or HANEYMANEY....