🔥The 9th Round of Easy Loan, Earn $40 Reward is in progress❗️ ⏰ Promotion Period: January 15th - Feburary 15th, 2025 👉 Register now and check more details at gate.io/campaigns/358

Crimeware #Lampion makes analysis challenging by using nonconsecutive execution stages. Active since 2019, this malware targets Portuguese-based organizations. Now, the addition of the increasingly prevalent ClickFix method adds an additional element. bit.ly/44l9jT7

New #ClickFix activity: User is asked to run PowerShell script that retrieves and runs an MSI file in memory. This infection chain performs #DLLSideLoading using legitimate "NVIDIA Notification.exe" to load a malicious DLL named libcef.dll. More info at bit.ly/4krPhLd

A #CypherIT crypter is being used in #LummaStealer infections. This campaign is spread via various sources. The binaries use NSIS installers and AutoIt scripts. From an infection, we also saw a clipper payload targeting cryptocurrency wallets. Details at bit.ly/3Fibxse

Criminals are using Teams and impersonating help desk personnel to deliver an #AdaptixC2 beacon. Attackers utilized #QuickAssist to run an update.ps1 file that downloads and runs an AdaptixC2 beacon using tech-system[.]online for its C2 server. Details at bit.ly/3SMlocQ

We uncovered a sophisticated TDS supporting UP-X, a Russian language online gambling platform. This dynamic redirection network of more than 1,000 short-lived DGA domains evades detection and resists takedowns. Details at bit.ly/43oXeu1

2025-05-22 (Thursday) After reports of the recent #LummaStealer disruption, a campaign we saw distributing Lumma Stealer earlier this week switched to pushing #StealC v2 today. Details at bit.ly/43bEC1M #StealCv2 #TimelyThreatIntel

We link specific malware samples to the exploitation of CVE-2025-31324 in SAP NetWeaver and also identify associated network infrastructure, including C2 servers. Read our findings: bit.ly/4kir3TX

A considerable update to our Threat Brief on CVE-2025-31324 includes new indicators that defenders can use for threat hunting. Take a look now: bit.ly/4kir3TX

Unit 42 has identified new samples of BTMOB RAT Android malware impersonating legitimate services, including Starlink, Google Chrome, Avast Antivirus, Roku, Amazon and several other apps targeting Latin American users. Details at bit.ly/4jhZyZw

Starting with DarkCloud Stealer’s history, this article covers analysis of new DarkCloud Stealer samples which use AutoIt-based obfuscation. We unpack the compiled scripts and identify the techniques used to hide malicious payloads and evade analysis: bit.ly/3GWoTuB

A new malware obfuscation technique uses steganography within bitmap resources embedded in .NET applications. Using samples from a recent #malspam campaign, we deconstruct how to recover the final payload. bit.ly/4d5IrbT

#Campaign Alert: A massive #malware distribution infrastructure is active, impersonating over 40 applications on Chinese-language pages. 91 domains hosted on the same IP address were involved in two waves of activity in May 2025. Details at bit.ly/4kHGHrR

LLM guardrails are like a safety net for GenAI, designed to prevent harmful or inappropriate content. But how effective are they? Our latest research evaluates the performance of content filtering mechanisms across three leading GenAI platforms. Read more: bit.ly/4kKdegW

The brand-new infostealer Gremlin publishes victim data and can be used to steal VPN, FTP, crypto wallet or credit card details and more. Advertised on Telegram since mid-March, we analyze its functions. bit.ly/3RHijKG

Iranian threat group #AgentSerpens (#CharmingKitten) was observed likely using generative AI in a malicious PDF masquerading as a document from U.S. non-profit research organization, RAND. The PDF is deployed alongside Agent Serpens’ “PowerLess” malware. bit.ly/4k0pKIN

Cybersecurity Alert: Registered on June 7th, wwdc25[.]com hosts a #scam site impersonating the official WWDC25 event. It promotes a fake #cryptocurrency giveaway to steal funds. Do not send any cryptocurrency to the wallet addresses listed! Details at bit.ly/4mN0RCK

From #NoodleRAT to #AcidPour, Linux malware authors are increasingly targeting cloud environments. Using five ELF-based malware families as examples, we show how of ELF malware's evolution presents a significant attack surface through machine learning. bit.ly/4mTnAND

Our latest research delves into the security implications of default configurations in AWS IAM Roles Anywhere. We analyze potential attack vectors and provide actionable strategies to those seeking stronger cloud security posture. bit.ly/4mOdTQF

We investigated a malicious JavaScript (.js) file that led to version 5.3 of #NeptuneRAT. Configuration data reveals it is also called #MasonRAT. The infection generates PowerShell script to bypass AMSI and Event Tracing for Windows (ETW). More info at bit.ly/3Hx8sp4

A large-scale campaign utilized obscure style JSF*ck to inject malicious JavaScript into legitimate websites. This technique hid malicious redirects, leading to malware and more. Read the full campaign details: bit.ly/4mZ2LjE