ALL POSTS

Key Findings China-linked threat actor Red Menshen has maintained a long-term espionage campaign targeting telecom networks in the Middle East and Asia since at least 2021 The group deploys BPFDoor, a kernel-level Linux backdoor that operates as a "digital sleeper cell" with no visible listening ports or command-and-control beaconing BPFDoor inspects network traffic inside the kernel using Berkeley Packet Filter functionality, activating only when receiving a specially crafte

Key Findings Coruna iOS exploit kit uses an updated version of the kernel exploit from Operation Triangulation, a sophisticated 2023 iOS APT campaign The exploit kit includes five full exploit chains and 23 total exploits, targeting iOS 13.0 through 17.2.1 Coruna contains four additional kernel exploits not seen in Triangulation, two developed after the original campaign's discovery Code analysis reveals Coruna was designed with unified architecture rather than patchworked co

Key Findings Exploitation velocity doubled in 2025, with new vulnerabilities weaponized within days while decade-old CVEs remain reliably exploited Identity systems became the primary attack surface, with compromised credentials enabling stealthy lateral movement and environment-wide control Approximately 25% of top exploited vulnerabilities targeted shared frameworks and libraries, amplifying blast radius across industries APT investigations and ransomware operations increas

Key Findings * Russia-linked APT group targets Ukrainian organizations using DRILLAPP backdoor * Utilizes Microsoft Edge debugging to evade detection * Two campaign variants observed in February 2026 * Capability to access file systems, microphone, camera, and screen recordings * Linked to Laundry Bear (UAC-0190/Void Blizzard) APT group Background The DRILLAPP backdoor campaign represents a sophisticated cyber espionage effort targeting Ukrainian entities. Attributed to a Rus

Key Findings Iran-linked MuddyWater (aka SeedWorm) APT group targeted U.S. organizations, including banks, airports, nonprofits, and a software supplier to the defense and aerospace sectors The group deployed a previously unknown backdoor called Dindoor, which leverages the Deno JavaScript runtime for execution An attempt was made to exfiltrate data from the targeted software company using the Rclone utility to a Wasabi cloud storage bucket A separate Python backdoor called F

Key Findings Suspected Iran-nexus threat actor, tracked as "Dust Specter", targeted Iraqi government officials in a campaign observed in January 2026. The threat actor used phishing emails impersonating Iraq's Ministry of Foreign Affairs to deliver previously undocumented malware families, including SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM. The attacks involved two different infection chains, one using a password-protected RAR archive and another consolidating the same fu

Key Findings Researchers uncovered a Russian campaign targeting Ukrainian entities with new malware families BadPaw and MeowMeow delivered through phishing emails. The attack chain begins with a phishing email carrying a link to a ZIP archive. When opened, an HTA file displays a Ukrainian-language lure about border crossing appeals while secretly launching the infection chain. The malware uses the .NET Reactor packer to make analysis and reverse engineering harder, showing th

Key Findings: Google Threat Intelligence Group (GTIG), Mandiant, and partners disrupted a global espionage campaign by UNC2814, a suspected China-linked cyber espionage group UNC2814 had breached at least 53 organizations across 42 countries, primarily targeting telecommunications and government sectors The group used a novel backdoor called GRIDTIDE that leveraged legitimate Google Sheets API functions for command-and-control GTIG took coordinated action to disrupt UNC2814's

Key Findings A suspected China-linked APT group, UNC6201, has been exploiting a critical zero-day vulnerability in Dell RecoverPoint for Virtual Machines since mid-2024. The vulnerability, tracked as CVE-2026-22769, has a CVSS score of 10.0 and involves hardcoded credentials that can be abused to gain unauthorized access and root-level persistence. The group has used the flaw to move laterally, maintain persistence, and deploy malware including SLAYSTYLE, BRICKSTORM, and a no

Key Findings The notorious Russia-linked threat group APT28 (also known as Fancy Bear) has launched a new campaign dubbed "Operation Neusploit" targeting Central and Eastern Europe. The campaign leverages a recently patched Microsoft Office vulnerability, CVE-2026-21509, to deliver custom backdoors against strategic targets in Ukraine, Slovakia, and Romania. The attack uses specially crafted RTF documents as the initial vector, exploiting the vulnerability to initiate a multi

Key Findings The Notepad++ hosting infrastructure was compromised, allowing threat actors to hijack update traffic and deliver a previously undocumented backdoor codenamed Chrysalis The attack has been attributed with medium confidence to the China-linked advanced persistent threat (APT) group known as Lotus Blossom (aka Billbug, Bronze Elgin, Lotus Panda, Raspberry Typhoon, Spring Dragon, and Thrip) The compromise occurred at the hosting provider level, not due to vulnerabil

Key Findings A China-linked APT group, tracked as UAT-8837, has been targeting critical infrastructure sectors in North America since at least 2025. The threat actor has recently exploited a critical zero-day vulnerability in Sitecore (CVE-2025-53690, CVSS 9.0) to gain initial access to target networks. After obtaining a foothold, UAT-8837 deploys a range of open-source tools to harvest sensitive information, including credentials, security configurations, and Active Director

Key Findings The FBI warns that the North Korea-linked advanced persistent threat (APT) group Kimsuky is targeting governments, think tanks, and academic institutions with "quishing" attacks. Quishing is a social engineering attack that uses malicious QR codes to trick victims into visiting fake websites or downloading malware. Kimsuky has conducted spear-phishing campaigns using QR codes that impersonate trusted figures like foreign advisors, embassy staff, and think tank em

Key Findings Iranian APT group Infy (aka Prince of Persia) has resurfaced with new malware campaigns after nearly 5 years of dormancy The scale of Infy's current activity is significantly larger than previously assessed The group has targeted victims across Iran, Iraq, Turkey, India, Canada, and parts of Europe Infy's malware arsenal includes updated versions of the Foudre downloader and Tonnerre implant Attack chains have evolved from macro-laced documents to embedded execut

Key Findings Amazon's threat intelligence team observed an advanced persistent threat group exploiting zero-day vulnerabilities in Cisco Identity Service Engine (ISE) and Citrix NetScaler ADC products before the vendors disclosed and patched the issues. The attacks leveraged the following vulnerabilities: CVE-2025-5777 (CVSS score: 9.3) - An insufficient input validation vulnerability in Citrix NetScaler ADC and Gateway that could be exploited to bypass authentication. (Fixed

Key Findings North Korea-linked Konni APT group posed as psychological counselors and North Korean human rights activists to distribute malware disguised as stress-relief programs via KakaoTalk messenger Attackers compromised victims' Google accounts and abused Google's "Find Hub" service to remotely reset Android devices in South Korea, erasing users' personal data This is the first known case of a state-sponsored APT group exploiting Find Hub to perform destructive remote w