Threat Research

The Water Saci campaign in Brazil employs a heavily layered attack chain using multiple file formats—HTA, ZIP, and PDF—to evade simple detection and complicate analysis. Recently, attackers shifted from PowerShell to a Python-based propagation routine, enabling broader browser compatibility, improved error handling, and faster automated malware delivery through WhatsApp Web....

In August 2025, an intrusion targeting an Asian subsidiary of a major European manufacturer was investigated and assessed as likely carried out by the North Korea–linked group UNC2970, aligning with Operation DreamJob. The attack began with a targeted WhatsApp message to a project engineer and used variants of the BURNBOOK loader and MISTPEN backdoor....

Researchers are examining an ongoing, multi-stage malware campaign targeting WhatsApp users in Brazil. First detected on September 24, 2025, the operation—identified as STAC3150—uses archive attachments that contain a downloader script responsible for fetching several second-stage components....

Researchers have discovered a new Android spyware family called LANDFALL. Attackers delivered it through a zero-day flaw (CVE-2025-21042) in Samsung’s image processing library. This issue is part of a broader pattern seen across multiple mobile platforms. The vulnerability was exploited in the wild before Samsung patched it in April 2025....

A global phishing campaign is targeting the hospitality industry, exploiting compromised Booking.com accounts and WhatsApp messages to defraud hotel customers. The attackers gained access to hotel systems through infostealer malware, stealing credentials for booking platforms like Booking.com and Expedia....

The ongoing Water Saci campaign reveals a new attack chain leveraging an email-based C&C infrastructure with multi-vector persistence for enhanced resilience. It employs advanced evasion techniques to avoid analysis and limit activity to specific, intended targets....

The team has detected a surge in Android malware posing as Indian RTO apps, targeting Indian users to steal sensitive data. The malware spreads via WhatsApp and SMS with shortened links redirecting to malicious APKs hosted on GitHub or compromised sites. Once installed, it uses phishing pages to steal banking credentials, UPI PINs, and intercepts SMS with financial data....

SORVEPOTEL has been found spreading across Windows systems, accompanied by a message prompting users to open it on a desktop—indicating that the attackers are likely targeting enterprise environments....