Threat Research

Zscaler ThreatLabz identified MLTBackdoor in May 2026 as a new malware family likely used by a ransomware-related threat actor, delivered through a multi-stage ClickFix chain and designed for post-exploitation with expandable BOF support. It uses heavy MBA and CFF obfuscation, indirect system calls, DGA-backed C2 such as hrs2y15sungu[.]com and cwrtwright[.]com, and encrypted TLS communications to evade analysis and maintain access. #MLTBackdoor #ClickFix #BeaconObjectFiles #hrs2y15sungu[.]com #cwrtwright[.]com

ReversingLabs documented two short-form video phishing campaigns on TikTok and Instagram Reels that lure users with promises of free premium software and then redirect them to attacker-controlled sites. One campaign delivers Vidarstealer through a fake Spotify Premium tutorial, while the other uses engagement bait and comment replies to push victims toward dubious download pages. #Vidarstealer #TikTok #InstagramReels #SpotifyPremium

Varonis Threat Labs showed that an OpenClaw AI agent named Pinchy could be tricked by believable phishing emails into forwarding AWS IAM keys, database passwords, SSH credentials, and a customer export, while also demonstrating mixed defenses against phishing links and OAuth abuse. The research found that social-engineering attacks against AI agents…

The Duo Auth Proxy was shown to be forwarding live Active Directory authentication requests, and packet capture plus a recovered RADIUS shared secret allowed the authentication exchanges to be decrypted. This exposed cleartext credentials and revealed that MFA through the Duo Auth Proxy could be abused as a mechanism for password theft rather than a defense, while user group analysis highlighted a developer account with broad development-related AD memberships. #DuoAuthProxy #RADIUS #ActiveDirectory #MFA

Socket Threat Research identified 23 new PyPI artifacts tied to the broader Mini Shai-Hulud, Miasma, and Hades supply chain attacks, bringing the tracker to 471 affected artifacts across npm and PyPI. The new wave changes delivery methods with malicious .pth hooks, trojanized .abi3.so extensions, and a langchain-core-mcp loader that searches sys.path for _index.js while the payload steals developer and CI/CD secrets after running through Bun. #MiniShaiHulud #Miasma #Hades #langchaincoremcp #embiggen #ensmallen #gpsea #pyphetools

Two Russia-aligned campaigns are still exploiting CVE-2025-8088 in WinRAR against Ukrainian organizations long after the patch, using decoy archives to silently drop payloads and steal data. SHADOW-EARTH-066 delivers the evolved GIFTEDCROOK stealer while Earth Dahu uses an HTA-based espionage chain, underscoring how unmanaged software keeps the same entry point open. #CVE-2025-8088…

Proofpoint tracked UNK_DeadDrop, a likely North Korea-aligned phishing cluster that used recruiter and code-review lures to target developers across nearly 100 organizations and delivered malicious GitHub/GitLab repositories with cross-platform payloads. The campaigns abused VS Code and Cursor task automation plus malicious VSIX extensions to steal cryptocurrency wallets and credentials on macOS,…

Socket identified a coordinated PyPI supply-chain compromise with 37 malicious wheel artifacts across 19 packages, using a *-setup.pth startup hook to launch a Bun-based JavaScript stealer named _index.js. The campaign is a PyPI branch of the Shai-Hulud/Miasma lineage that steals developer and CI/CD secrets, exfiltrates to GitHub, and uses markers such as Hades – The End for the Damned. #PyPI #ShaiHulud #Miasma #Bun #Hades

Acronis Cyber Protect H2 2025 telemetry shows that backup jobs can succeed while still finishing too late, with tail latency and queued runtimes eroding real recovery readiness. Deep MSP tenant nesting also drives a sharp rise in failures, making governance, restore testing, and success-in-window measurement critical for resilience. #AcronisCyberProtect #CISA #Microsoft #AzureArchitectureCenter #AWS

Palo Alto Networks Unit 42 reported active exploitation of CVE-2026-0257 against PAN-OS GlobalProtect portal and gateway components by an unidentified threat actor attempting to establish VPN connections. The advisory urges defenders to hunt for listed IP addresses, suspicious host identifiers, and PoC-related client values, while applying mitigations or upgrading to a…

Mandiant reported that UNC3753, also known as Luna Moth, Chatty Spider, and Silent Ransom Group, ran a fast-moving data theft extortion campaign against U.S. professional, legal, and financial services organizations by using vishing, screen-sharing, RMM tools, and sometimes physical office access. The group stole sensitive data such as legal agreements, PII, and financial records, then used extortion emails and the LEAKEDDATA site to pressure victims into paying. #UNC3753 #LunaMoth #ChattySpider #SilentRansomGroup #LEAKEDDATA

Volexity investigated a long-running compromise of an Egnyte Storage Sync appliance and the victim’s MSP, attributing the activity to VerdantBamboo (WARP PANDA, UNC5221) and the BRICKSTORM backdoor. The campaign also involved two previously undocumented malware families, AGENTPSD and PLENET, used to maintain access, pivot into Microsoft 365, and persist on Linux and BSD appliances. #VerdantBamboo #WARP_PANDA #UNC5221 #BRICKSTORM #AGENTPSD #PLENET #Egnyte #pfSense #Synology #Microsoft365

Vect emerged rapidly after its December 31, 2025 debut, publishing 25 victims, recruiting affiliates through BreachForums, and linking its operations to TeamPCP supply chain compromises and the Devman ecosystem. Its broken ChaCha20-based locker, aggressive defense evasion, and broad propagation across Windows, Linux, and VMware ESXi make it functionally similar to a wiper in many cases. #Vect #BreachForums #TeamPCP #Devman #Trivy #CheckmarxKICS #LiteLLM #Telnyx

Sysdig TRT observed an agentic threat actor exploiting CVE-2026-39987 in a marimo notebook to automate container escape, host breakout, and Kubernetes secret theft without human interaction. The operation used a mounted Docker socket, nsenter, and Kubernetes service-account replay to dump host credentials and the cluster Secret store. #CVE-2026-39987 #marimo #SysdigTRT #nsenter #DockerSocket #Kubernetes

LevelBlue’s CTI team analyzed a new ClickFix campaign that uses typosquatted LinkedIn and Indeed pages, the Finger protocol, and legitimate Windows utilities to deliver CastleLoader and a Python-based RAT. The operation relies on fileless execution, encrypted C2 traffic, and WebSocket-based control to stage payloads, evade defenses, and maintain persistence. #ClickFix #LinkedIn #Indeed #Finger #CastleLoader #kevinnotanother.com

FortiGuard Labs identified a phishing campaign that delivers a PureLogs variant through a fake purchase-order email carrying a malicious RAR archive and JavaScript file. The attack chain uses PowerShell, process hollowing, and a downloader to load an in-memory plugin that steals browser, Discord, crypto wallet, and application data from Windows systems. #PureLogs #FortiGuardLabs #MsBuild.exe #Discord #MicrosoftEdge #FileZilla

FortiGuard Labs analyzed C0XMO, a modular Gafgyt botnet variant that exploits CVE-2021-27137 on vulnerable DD-WRT routers and uses a separate Python scanner to expand infections across Linux and IoT devices. The malware adds persistence, kills competing botnets, performs a custom C2 handshake, and supports many DDoS and exploitation capabilities targeting services such as Telnet, SSH, UPnP, ADB, and multiple HTTP vulnerabilities. #C0XMO #Gafgyt #CVE-2021-27137 #DDWRT

In May 2026, Chaotic Eclipse disclosed three Windows zero-days—YellowKey, GreenPlasma, and MiniPlasma—with PoCs published days after Microsoft’s Patch Tuesday to delay a fix window. YellowKey bypasses BitLocker through WinRE, while GreenPlasma and MiniPlasma achieve SYSTEM privileges by abusing Windows Cloud Files and related trust relationships. #YellowKey #GreenPlasma #MiniPlasma #ChaoticEclipse

Sekoia.io’s investigation details how Gamaredon, an FSB-linked intrusion set targeting Ukraine, uses a multi-stage GammaLoad chain to maintain stealthy, persistent access through loaders, droppers, and registry-cached C2 configuration. The report shows the group abusing trusted services like Telegram, Telegraph, Cloudflare, and Check-Host to retrieve payloads and ultimately deliver GammaSteel. #Gamaredon #GammaLoad #GammaSteel #Sekoiaio #Telegram #Cloudflare #CheckHost