ALL POSTS

Key Findings Chinese state-sponsored hackers, suspected to be part of the UNC6201 group, have been exploiting a zero-day vulnerability in Dell RecoverPoint for Virtual Machines since mid-2024. The vulnerability, CVE-2026-22769, has a CVSS score of 10/10 and allows unauthenticated remote attackers to gain full system access with root-level persistence. The hackers have been using a hardcoded administrator password, pulled from Apache Tomcat, to trigger the vulnerability for at

Key Findings North Korean threat actors behind the Contagious Interview campaign have flooded the npm registry with 197 more malicious packages since last month These packages have been downloaded over 31,000 times and are designed to deliver a variant of OtterCookie malware The malware attempts to evade sandboxes and virtual machines, profiles the machine, and establishes a command-and-control (C2) channel to provide the attackers with remote shell access and capabilities to

Key Findings North Korean threat actors behind the Contagious Interview campaign have adopted a new tactic of using JSON storage services to host and deliver malware. The campaign involves approaching targets on professional networking sites under the pretext of a job assessment or project collaboration, instructing them to download a demo project hosted on platforms like GitHub, GitLab, or Bitbucket. In one such project, a file named "server/config/.config.env" contains a Ba

Key Findings China-linked hackers targeted a U.S. non-profit organization in a long-term espionage campaign. The group gained access to the network for several weeks in April 2025 and used various techniques to establish persistence and maintain long-term access. The attackers leveraged DLL sideloading via the vetysafe.exe application, a tactic commonly associated with China-linked APT groups such as Space Pirates, Kelp, and Earth Longzhi (a subgroup of APT41). The group also

Background In September 2025, SonicWall, a cybersecurity firm, disclosed a security breach that exposed firewall configuration files tied to MySonicWall accounts. The company initially claimed that less than 5% of customers were impacted, and no files were leaked. However, in October, SonicWall confirmed that threat actors had accessed the preference files of all firewalls using its MySonicWall cloud backup service. Key Findings The stolen files contained encrypted credential

Background The U.S. Treasury Department on Tuesday imposed sanctions against eight individuals and two entities within North Korea's global financial network. The sanctions are for laundering money for various illicit schemes, including cybercrime and information technology (IT) worker fraud. The Treasury stated that "North Korean state-sponsored hackers steal and launder money to fund the regime's nuclear weapons program." Sanctioned Individuals and Entities Jang Kuk Chol (J