Threat Research

A China-linked cyber-espionage campaign attributed to UNC5221 targeted U.S. law firms and technology organizations. The attackers exploited zero-day vulnerabilities, deployed the BRICKSTORM backdoor, and maintained access for over a year to steal sensitive legal, trade, and national security information....

Operation Dragon Weave is a suspected China-linked cyberespionage campaign targeting government officials and citizens in the Czech Republic and Taiwan through spearphishing emails containing malicious ZIP attachments....

A multi-step ClickFix attack was detected using brand squatting, clipboard decoys, and multi-stage payloads disguised as logs or images. The threat actor registered lirunex[.]tech, mimicking the legitimate payment platform lirnunex.com, and launched an evasive attack....

In March and April 2026, threat actor TA4922 significantly increased its operational tempo. The team identified a series of campaigns demonstrating a major evolution in the actor's malware tooling. The attacker relied primarily on human resources and business-themed lures to target victims....

The threat actor gains initial access through vishing attacks, impersonating internal IT staff to trick victims into entering their credentials and MFA codes on phishing pages. Once access is obtained, the actor quickly identifies and exfiltrates sensitive data from cloud services such as SharePoint and OneDrive, a tactic commonly observed among Com-affiliated groups....

This research analyzes a ClickFix campaign leveraging the spoofed licensing-themed website canndelta.com to deliver the PureLogs stealer through malicious PowerShell commands. The attack uses Donut shellcode, fileless execution, RWX memory allocation, and in-memory .NET assembly loading to evade detection....

Gamaredon, a Russian APT (Advanced Persistent Threat) group operated by the FSB, continues to conduct long-term cyberespionage campaigns targeting Ukrainian government, military, and critical infrastructure organizations....

In late April 2026, we were retained for incident response after a client detected unauthorized cryptocurrency miners on user workstations. Our investigation revealed the malware was delivered through illicit movie and TV streaming platforms using a deceptive video player plugin update....

Pervasive SSH tunnel activity from 2025 persisted into 2026, targeting Russian and Belarusian entities.The cyberespionage group Cloud Atlas, active since 2014, is behind some of these attacks.Recent investigations revealed new tools and indicators of compromise linked to the group.They have resumed using malicious shortcut archives to launch PowerShell scripts....

An Iran-linked APT group known as Screening Serpens conducted targeted cyberespionage campaigns against organizations in the U.S., Israel, the UAE, and other Middle Eastern regions during early 2026....