ALL POSTS

Key Findings The Notepad++ hosting infrastructure was compromised, allowing threat actors to hijack update traffic and deliver a previously undocumented backdoor codenamed Chrysalis The attack has been attributed with medium confidence to the China-linked advanced persistent threat (APT) group known as Lotus Blossom (aka Billbug, Bronze Elgin, Lotus Panda, Raspberry Typhoon, Spring Dragon, and Thrip) The compromise occurred at the hosting provider level, not due to vulnerabil

Key Findings China-based espionage group Lotus Blossom compromised the internal systems of Notepad++, a popular open-source code editor, for nearly six months starting in June 2025. The group deployed various payloads, including a custom backdoor, to selectively spy on a limited set of Notepad++ users' activities. The campaign showcased resilience and stealth tradecraft, but did not result in a mass compromise of all Notepad++ users. The attackers exploited "insufficient upda

Key Findings North Korean threat actors associated with the "Contagious Interview" campaign have been observed using malicious Microsoft Visual Studio Code (VS Code) projects as lures to deliver a backdoor on compromised endpoints. The attack involves instructing targets to clone a repository on GitHub, GitLab, or Bitbucket, and launch the project in VS Code as part of a supposed job assessment. The malicious VS Code task configuration files are used to execute payloads, incl

Key Findings China-linked advanced persistent threat (APT) group Evasive Panda (also known as Bronze Highland, Daggerfly, and StormBamboo) conducted a cyber espionage campaign targeting victims in Türkiye, China, and India. The group used adversary-in-the-middle (AitM) attacks and DNS poisoning techniques to deliver its signature MgBot backdoor. The attackers leveraged lures that masqueraded as updates for third-party software, such as SohuVA, Baidu's iQIYI Video, IObit Smart

Key Findings Elastic Security Labs has uncovered a sophisticated new Windows backdoor called NANOREMOTE that leverages the Google Drive API for covert command-and-control (C2) and data exfiltration operations. NANOREMOTE employs legitimate cloud services to blend its malicious traffic with normal network activity, making it extremely difficult for traditional security tools to detect. The malware uses OAuth 2.0 tokens to authenticate with Google's servers and create a covert

Key Findings Trend Micro's AI-driven threat hunting pipeline discovered a previously unknown and undetectable Linux backdoor called "GhostPenguin" GhostPenguin had zero detections on VirusTotal for over four months before being identified The sophisticated, multi-threaded backdoor is written in C++ and uses RC5-encrypted UDP for covert Command and Control (C2) communications Background GhostPenguin was first submitted to VirusTotal on July 7, 2025, but remained completely inv

Key Findings The Iranian hacking group known as MuddyWater has been observed deploying a new backdoor called UDPGangster that uses the User Datagram Protocol (UDP) for command-and-control (C2) communication. The cyber espionage activity targeted users in Turkey, Israel, and Azerbaijan. The attack chain involves using spear-phishing tactics to distribute booby-trapped Microsoft Word documents that trigger the execution of a malicious payload once macros are enabled. UDPGangste

Key Findings: Cybersecurity agencies in the US and Canada have issued an alert about a new malware called BRICKSTORM, believed to be used by state-sponsored hackers from China. BRICKSTORM is a backdoor that gives attackers stealthy access and control over targeted systems, primarily focusing on VMware vSphere platforms. The hackers have been observed targeting organizations in the Government Services, Facilities, and Information Technology sectors. The malware uses advanced t