ALL POSTS

Key Findings PowMix botnet has been actively targeting Czech workforce since at least December 2025 with previously undocumented malware Campaign uses randomized C2 beaconing intervals and encrypted heartbeat data embedded in REST API-mimicking URLs to evade detection Multi-stage attack chain initiated via phishing emails containing malicious ZIP files with Windows Shortcut (LNK) files PowerShell loader employs AMSI bypass techniques to execute botnet payload directly in memo

Key Findings North Korean state-sponsored hackers are running a sophisticated spying campaign against South Korean companies dating back to 2024 Attackers use seemingly harmless LNK shortcut files that trigger hidden PowerShell scripts to steal system data from Windows machines GitHub repositories are being abused as command and control infrastructure to exfiltrate stolen information while bypassing corporate security systems The malware evades detection by checking for secur

Key Findings Hive0163 uses AI-assisted Slopoly malware for persistent access in ransomware attacks PowerShell backdoor likely generated using a large language model (LLM) Malware maintains C2 access, collects system data, and executes remote commands Part of a broader attack framework involving NodeSnake and Interlock RAT Initial access achieved through social engineering and malvertising Background Hive0163 is a financially motivated threat actor specializing in post-comprom

Key Findings: Microsoft Defender experts uncovered a widespread ClickFix campaign exploiting Windows Terminal to deliver Lumma Stealer malware. The campaign instructs targets to use the Windows + X → I shortcut to launch Windows Terminal (wt.exe) directly, bypassing Run-dialog detections. Attackers guide users to paste malicious PowerShell commands from fake CAPTCHAs, troubleshooting prompts, or verification-style lures. The malicious payload downloads and executes a multi-st

Key Findings: The North Korean threat actor Konni has been observed using PowerShell malware generated using artificial intelligence (AI) tools to target developers and engineering teams in the blockchain sector. The phishing campaign has targeted Japan, Australia, and India, highlighting the adversary's expansion of the targeting scope beyond South Korea, Russia, Ukraine, and European nations. Konni, also tracked as Earth Imp, Opal Sleet, Osmium, TA406, and Vedalia, has been

Key Findings Securonix researchers discovered a new malware campaign dubbed JS#SMUGGLER that delivers the powerful NetSupport RAT through compromised websites. The attack is designed in three stages to evade detection, starting with an obfuscated JavaScript loader, followed by a hidden HTML Application (HTA) and a final PowerShell payload that downloads and executes the NetSupport RAT. The multi-layered tactics, including encryption, compression, and in-memory execution, indi