Threat Research

Between late February and March 2026, TeamPCP launched a calculated series of escalating supply chain attacks. They compromised trusted open-source security tools like Trivy, KICS, and the AI gateway LiteLLM. The campaign also targeted the official Python SDK of Telnyx. Malicious infostealer payloads were injected into GitHub Actions and PyPI registries....

A targeted campaign is using phishing emails with fake resume (CV) attachments to infect French-speaking corporate environments with heavily obfuscated VBScript malware....

Threat actors distributed fake OpenClaw installers through malicious GitHub repositories to infect users with information stealers and the GhostSocks proxy malware. The campaign used a custom Stealth Packer to evade detection and targeted users searching for OpenClaw installers on Windows and macOS....

CRESCENTHARVEST is a targeted cyberespionage campaign using protest-themed lures to infect Farsi-speaking individuals with malicious .LNK files disguised as media content. The malware, deployed via DLL sideloading with a signed Google executable, acts as a remote access trojan and information stealer capable of keylogging, command execution, and data exfiltration....

GuLoader (also known as CloudEye) is a highly obfuscated malware family first identified in December 2019. It primarily functions as a downloader for Remote Access Trojans (RATs) and information stealers. Threat actors often host its payloads on legitimate platforms like Google Drive and OneDrive to evade detection....

Labz identified Marco Stealer in June 2025 as an information stealer targeting browser data, crypto wallets, and sensitive local and cloud files. It profiles infected systems by collecting hardware IDs, OS versions, IP addresses, and geolocation details. The malware uses named pipes to coordinate communication between its internal components....

Rublevka Team is a large-scale, affiliate-driven crypto-theft operation active since 2023 that has generated over $10 million by luring victims with fake promotions or airdrops and tricking them into signing wallet-draining transactions....

A software supply chain attack targeted users of EmEditor by distributing a compromised installer that delivered multistage information-stealing malware. The malicious installer enabled credential theft, data exfiltration, and lateral movement, while delaying execution of malicious behavior to evade early detection....

A short-lived infostealer campaign active in mid-January 2026 targeted users through spoofed software installers packaged in consistently structured ZIP archives. The operation is identifiable by a unique behavioral hash and abuses a trusted executable to sideload a malicious payload, ultimately executing secondary-stage infostealers....

Evelyn Stealer is a multistage information-stealing campaign that abuses the Visual Studio Code extension ecosystem to compromise software developers....