ALL POSTS

Key Findings PowMix botnet has been actively targeting Czech workforce since at least December 2025 with previously undocumented malware Campaign uses randomized C2 beaconing intervals and encrypted heartbeat data embedded in REST API-mimicking URLs to evade detection Multi-stage attack chain initiated via phishing emails containing malicious ZIP files with Windows Shortcut (LNK) files PowerShell loader employs AMSI bypass techniques to execute botnet payload directly in memo

Key Findings Threat actors have weaponized n8n webhooks since October 2025 to deliver malware and fingerprint devices through phishing campaigns Malicious emails containing n8n webhook URLs appear legitimate because they originate from trusted n8n domains Email volume containing these URLs increased 686% from January 2025 to March 2026 Two primary attack methods observed: malware delivery via fake document links and device fingerprinting using invisible tracking pixels Attack

Key Findings Mirax, a new Android RAT, infected over 220,000 users primarily in Spanish-speaking regions through Meta platform advertisements The malware grants attackers full remote control of devices and converts them into SOCKS5 residential proxies for routing malicious traffic Distribution uses a multi-stage attack combining phishing sites, fake streaming apps, and GitHub-hosted droppers with strong obfuscation Mirax operates as an exclusive malware-as-a-service limited t

Key Findings JanelaRAT is a modified BX RAT variant targeting financial institutions across Latin America, with 14,739 recorded attacks in Brazil and 11,695 in Mexico during 2025 The malware uses a custom title bar detection mechanism to identify banking websites and execute fraudulent actions in real-time Initial infection relies on phishing emails mimicking invoice notifications, leading to multi-stage infection chains using MSI installers and DLL side-loading Recent campai

Key Findings Push Security identified a new AITM phishing campaign targeting TikTok for Business accounts to hijack them for malvertising and fraud Attackers use fake TikTok and Google-themed pages with Cloudflare Turnstile bot protection to bypass security scanners Newly registered domains are created rapidly and hosted behind Cloudflare, making them difficult to track Compromised accounts are used for malvertising, credential theft, malware distribution, and ad fraud Many u

Key Findings Seven malicious npm packages tracked as "Ghost campaign" designed to steal cryptocurrency wallets and credentials Packages use sophisticated social engineering tactics including fake installation logs and sudo password phishing Attack chain culminates in remote access trojan capable of harvesting sensitive data and awaiting attacker commands Activity shares overlap with GhostClaw campaign, suggesting possible connection between threat actors Packages published un

Key Findings Campaign named FAUX#ELEVATE targets French-speaking corporate environments using fake resume documents delivered via phishing emails Heavily obfuscated VBScript files contain only 266 lines of executable code out of 224,471 total lines, with the rest being junk comments to evade detection Attack completes full infection chain in approximately 25 seconds, from initial execution through credential exfiltration Malware exclusively targets domain-joined enterprise ma

Key Findings Russian Intelligence Services-linked actors are conducting phishing campaigns targeting Signal and WhatsApp accounts of high-value targets including U.S. government officials, military personnel, politicians, and journalists Thousands of accounts have already been compromised worldwide through these operations Attackers bypass encryption by hijacking accounts rather than breaking encryption itself, using phishing to trick users into sharing verification codes or

Key Findings * Russian-aligned hackers targeting commercial messaging apps * Phishing campaigns compromising thousands of high-value accounts * Attacks do not break encryption, but exploit social engineering * Targets include government officials, military personnel, journalists * Methods involve tricking users into sharing verification codes or clicking malicious links Background Russian state-affiliated threat actors are conducting sophisticated phishing campaigns against p

Key Findings * New .NET AOT malware campaign discovered by Howler Cell researchers * Uses Ahead-of-Time (AOT) compilation to evade standard security detection * Multi-stage attack with sophisticated evasion techniques * Targets individual systems through phishing emails * Employs complex scoring system to determine victim validity Background The emergence of this malware represents a sophisticated evolution in cyberthreat techniques. Traditional malware detection relies on an

Key Findings * Attackers are exploiting Cloudflare's human verification system to hide phishing pages * Custom virtual machine function used to obfuscate malicious code * Targets Microsoft 365 login credentials * Employs sophisticated evasion techniques against security scanners * Uses location-based filtering to block security researchers Background Cybercriminals have developed an innovative method of hiding phishing websites by leveraging Cloudflare's Turnstile verificatio

Key Findings: Microsoft Defender experts uncovered a widespread ClickFix campaign exploiting Windows Terminal to deliver Lumma Stealer malware. The campaign instructs targets to use the Windows + X → I shortcut to launch Windows Terminal (wt.exe) directly, bypassing Run-dialog detections. Attackers guide users to paste malicious PowerShell commands from fake CAPTCHAs, troubleshooting prompts, or verification-style lures. The malicious payload downloads and executes a multi-st

Key Findings Suspected Iran-nexus threat actor, tracked as "Dust Specter", targeted Iraqi government officials in a campaign observed in January 2026. The threat actor used phishing emails impersonating Iraq's Ministry of Foreign Affairs to deliver previously undocumented malware families, including SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM. The attacks involved two different infection chains, one using a password-protected RAR archive and another consolidating the same fu

Key Findings Tycoon 2FA, a prominent Phishing-as-a-Service (PhaaS) platform, was dismantled by a coalition of law enforcement agencies and security companies led by Europol. The subscription-based phishing kit, which emerged in August 2023, was described as one of the largest phishing operations worldwide. Tycoon 2FA's primary developer is alleged to be Saad Fridi, who is said to be based in Pakistan. The platform enabled thousands of cybercriminals to covertly access email a

Key Findings: A new Russian cyber campaign has targeted Ukrainian entities with two previously undocumented malware families named BadPaw and MeowMeow. The campaign has been attributed with moderate confidence to the Russian state-sponsored threat actor known as APT28. The attack chain initiates with a phishing email containing a link to a ZIP archive, which leads to the deployment of a .NET-based loader called BadPaw and a sophisticated backdoor called MeowMeow. Background T

Key Findings Researchers uncovered a Russian campaign targeting Ukrainian entities with new malware families BadPaw and MeowMeow delivered through phishing emails. The attack chain begins with a phishing email carrying a link to a ZIP archive. When opened, an HTA file displays a Ukrainian-language lure about border crossing appeals while secretly launching the infection chain. The malware uses the .NET Reactor packer to make analysis and reverse engineering harder, showing th

Key Findings Silver Dragon, an APT group linked to APT41, has been targeting government entities in Europe and Southeast Asia since mid-2024. The group gains initial access by exploiting public-facing internet servers and delivering phishing emails with malicious attachments. Silver Dragon uses techniques like Cobalt Strike beacons and DNS tunneling for persistence and command-and-control (C2) communication. The group employs multiple infection chains, including AppDomain hij

Key Findings: Cybersecurity researchers have disclosed details of a new phishing suite called Starkiller that proxies legitimate login pages to bypass multi-factor authentication (MFA) protections. Starkiller is advertised as a cybercrime platform by a threat group calling itself Jinkusu, granting customers access to a dashboard to impersonate brands or enter a brand's real URL. The platform lets users choose custom keywords and integrates URL shorteners to obscure the destin

Key Findings: German security agencies BfV and BSI have issued a joint advisory warning of a malicious cyber campaign targeting high-ranking individuals in politics, military, diplomacy, and investigative journalism in Germany and Europe. The campaign involves phishing attacks over the Signal messaging app, aiming to gain unauthorized access to victims' accounts and compromise their confidential communications. The attacks do not involve malware or technical vulnerabilities,

Key Findings Exploitation of public-facing applications remained the top method of initial access, though it declined from 62% to about 40% of engagements. Phishing was the second-most common tactic, notably targeting Native American tribal organizations, and credential harvesting often led to further internal attacks. Ransomware incidents continued to fall, making up only 13% of cases, with Qilin ransomware still dominant. Background Cisco Talos Incident Response's report fo