ALL POSTS

Key Findings GootLoader malware is using a malformed ZIP archive with 500-1,000 concatenated ZIP files to evade detection The malicious ZIP file is designed to trigger parsing errors in many unarchiving tools, but can still be extracted by the default Windows unarchiver GootLoader employs "hashbusting" techniques by randomizing values in non-critical ZIP file fields to generate unique payloads for each victim The attack involves delivering the malicious ZIP as an XOR-encoded

Key Findings Cybersecurity researchers have discovered five new malicious Google Chrome web browser extensions that impersonate HR and ERP platforms like Workday, NetSuite, and SuccessFactors. The extensions work together to steal authentication tokens, block incident response capabilities, and enable complete account takeover through session hijacking. All five extensions have been removed from the Chrome Web Store, but are still available on third-party software download si

Key Findings A China-linked APT group, tracked as UAT-8837, has been targeting critical infrastructure sectors in North America since at least 2025. The threat actor has recently exploited a critical zero-day vulnerability in Sitecore (CVE-2025-53690, CVSS 9.0) to gain initial access to target networks. After obtaining a foothold, UAT-8837 deploys a range of open-source tools to harvest sensitive information, including credentials, security configurations, and Active Director

Key Findings The FBI warns that the North Korea-linked advanced persistent threat (APT) group Kimsuky is targeting governments, think tanks, and academic institutions with "quishing" attacks. Quishing is a social engineering attack that uses malicious QR codes to trick victims into visiting fake websites or downloading malware. Kimsuky has conducted spear-phishing campaigns using QR codes that impersonate trusted figures like foreign advisors, embassy staff, and think tank em

Key Findings: Chinese-speaking threat actors leveraged a compromised SonicWall VPN appliance as an initial access vector to deploy a VMware ESXi exploit toolkit. The toolkit targeted up to 155 ESXi builds and enabled virtual machine (VM) escape via disabled VMCI drivers and unsigned kernel drivers, potentially paving the way for a ransomware attack. The exploit chain included a sophisticated VM escape and appears to have been developed more than a year before the related VMwa

Key Findings China-linked threat actor UAT-7290 has conducted espionage attacks since at least 2022, targeting South Asia and Southeastern Europe UAT-7290 primarily targets telecom providers, conducting espionage by deeply embedding in victim networks and operating Operational Relay Box (ORB) infrastructure The threat actor uses a broad toolset, including open-source tools, custom malware, and one-day exploits against edge networking devices Attacks are preceded by extensive

Key Findings Researchers from Zscaler ThreatLabz discovered three malicious npm packages that deliver a new Remote Access Trojan (RAT) called NodeCordRAT. The packages - bitcoin-main-lib, bitcoin-lib-js, and bip40 - were designed to mimic legitimate tools from the bitcoinjs project, tricking developers into installing them. NodeCordRAT uses Discord as a command-and-control (C2) channel, blending its malicious traffic with legitimate user activity to evade detection. The malwa

Key Findings The Astaroth banking Trojan is spreading in Brazil through a WhatsApp worm that automatically sends malicious messages to victims' contacts. The malware uses a Python-based propagation module to harvest the victim's WhatsApp contacts and automatically forward infected ZIP files, enabling self-spreading capabilities. A separate banking module operates silently in the background, monitoring the victim's browsing activity and stealing credentials when banking-relate

Key Findings The Russia-aligned threat actor known as UAC-0184 (also tracked as Hive0156) has been targeting Ukrainian military and government entities by leveraging the Viber messaging platform to deliver malicious ZIP archives. The attack campaign involves using Viber to distribute malicious ZIP files disguised as official Ukrainian parliamentary documents and military casualty data. The ZIP archives contain Windows shortcut (LNK) files posing as Microsoft Word and Excel do

Key Findings The Kimwolf Android botnet has infected over 2 million devices, primarily through the exploitation of residential proxy networks. The botnet primarily targets low-cost, unofficial Android TV boxes that are left insecure or intentionally configured as proxy nodes. Kimwolf is believed to be an Android variant of the AISURU botnet, with connections to a series of record-setting DDoS attacks. The botnet uses a scanning infrastructure that leverages residential proxie

Key Findings VVS Stealer is a Python-based malware that steals Discord credentials and tokens It has been sold on Telegram since at least April 2025 The malware uses the source code obfuscator Pyarmor to heavily obfuscate its Python code, hindering analysis and detection Background VVS Stealer is marketed on Telegram as the "ultimate stealer" and is sold via subscriptions or licenses, starting at €10 per week up to €199 for lifetime access The malware can steal Discord data,

Key Findings The RondoDox botnet is exploiting the critical React2Shell vulnerability (CVE-2025-55182) to infect vulnerable Next.js servers with malware and cryptominers. The RondoDox botnet has been active since 2024 and has evolved through three phases: reconnaissance and vulnerability testing, automated web application exploitation, and large-scale IoT botnet deployment. The botnet now runs hourly IoT exploitation waves targeting routers from vendors like Linksys and Wavli

Key Findings An NPM package named 'Lotusbail' with over 56,000 downloads has been stealing WhatsApp credentials and data The package is a fork of the legitimate 'Baileys' WhatsApp Web API library, making it hard to detect It intercepts and exfiltrates user credentials, messages, contacts, and media, encrypting the data with custom RSA before sending it to the attacker The malware also hijacks the WhatsApp device pairing process, secretly linking the attacker's device to the v

Key Findings A new variant of the MacSync Stealer malware has been discovered, which uses a digitally signed and notarized Swift application to bypass macOS Gatekeeper security checks. The malicious application is distributed via a disk image (DMG) named "zk-call-messenger-installer-3.9.2-lts.dmg" hosted on the "zkcall[.]net/download" website. The application is code-signed and successfully notarized by Apple, giving it a veneer of legitimacy and allowing it to run on macOS w

Key Findings: Two malicious Google Chrome extensions named "Phantom Shuttle" have been discovered secretly stealing user credentials from over 170 websites. The extensions are advertised as a "multi-location network speed test plug-in" for developers and foreign trade personnel. The extensions execute complete traffic interception, operate as man-in-the-middle proxies, and continuously exfiltrate user data to a command-and-control server. Once users make a subscription paymen

Key Findings: A malicious npm package named "lotusbail" has been discovered that poses as a functional WhatsApp API, but actually steals users' messages, contacts, and login tokens. The package has been downloaded over 56,000 times since it was first uploaded in May 2025. The package is designed to capture authentication tokens, session keys, message history, contact lists, media files, and documents, and transmit the stolen data to an attacker-controlled server. The package

Key Findings The Kimwolf Android botnet has infected over 1.8 million devices globally, primarily targeting TV boxes It uses advanced techniques like DNS over TLS, elliptic curve digital signatures, and blockchain domains to evade detection The botnet is capable of massive DDoS attacks, issuing over 1.7 billion commands in a three-day period Kimwolf shares code with the Aisuru botnet family but has been heavily redesigned to avoid detection Background The Kimwolf botnet was f

Key Findings Iranian APT group Infy (aka Prince of Persia) has resurfaced with new malware campaigns after nearly 5 years of dormancy The scale of Infy's current activity is significantly larger than previously assessed The group has targeted victims across Iran, Iraq, Turkey, India, Canada, and parts of Europe Infy's malware arsenal includes updated versions of the Foudre downloader and Tonnerre implant Attack chains have evolved from macro-laced documents to embedded execut

Key Findings: A massive network of compromised YouTube accounts is being weaponized to spread a sophisticated new threat, turning the popular video platform into a launchpad for data theft. The campaign, dubbed the "YouTube Ghost Network," leverages malicious videos promoting "cracked" software, trainers, or cheats to lure users into downloading a new, heavily obfuscated JavaScript malware loader called GachiLoader. GachiLoader is written in Node.js and deploys a second-stage

Key Findings In August 2025, Kaspersky researchers discovered a new Android banking Trojan dubbed "Frogblight" targeting individuals in Turkey. The malware initially disguised itself as an app for accessing court case files via an official government webpage, but later adopted more universal disguises like the Chrome browser. Frogblight can use official government websites as an intermediary step to steal banking credentials and has spyware capabilities to collect SMS message