LATEST THREAT INTELLIGENCE.

Restless Spirit: New Attacks on Russian Companies

Description: PhantomCore, a hacking group targeting Russian and Belarusian companies since 2022, launched a new wave of malicious email campaigns on January 19 and 21, 2026. The attacks targeted various sectors including utilities, finance, urban infrastructure, aerospace, consumer digital services, chemical industry, construction, consumer goods manufacturing, and e-commerce. The campaign used phishing emails with malicious attachments, leveraging compromised legitimate email addresses. The malware operates in multiple stages, including downloading decoy documents, executing PowerShell scripts, and establishing persistence through scheduled tasks. The second stage malware, similar to previously known PhantomCore.PollDL, communicates with command and control servers to receive and execute commands.

Created at: 2026-01-23T10:12:00.002000

Updated at: 2026-02-22T10:02:23.104000

ShadowRelay: New Modular Backdoor in the Public Sector

Description: A new modular backdoor called ShadowRelay was discovered on a compromised Exchange server in a government organization. The backdoor allows loading different plugins and demonstrates sophisticated design indicative of well-prepared attackers. It uses packet injection to hide network activity and can spy covertly in protected network segments by communicating through infected machines. The backdoor can inject itself into other processes and uses plugins to load additional functionality, allowing it to evade detection. These capabilities suggest the attackers aim for long-term covert presence and espionage, typical of state-sponsored APT groups. The backdoor was found alongside tools from other known threat actors, complicating attribution.

Created at: 2026-01-23T10:10:12.656000

Updated at: 2026-02-22T10:02:23.104000

KONNI Adopts AI to Generate PowerShell Backdoors

Description: A North Korea-linked threat actor known as KONNI has been observed conducting a phishing campaign targeting software developers and engineering teams, particularly those with blockchain expertise. The campaign uses AI-generated PowerShell backdoors and targets a broader range of countries in the APAC region. The infection chain begins with a Discord-hosted link downloading a ZIP archive containing a PDF lure and a malicious LNK file. The LNK file deploys additional components, including the AI-generated PowerShell backdoor. The backdoor employs various anti-analysis techniques and establishes persistence through scheduled tasks. This campaign demonstrates KONNI's evolution in tactics and tooling, including the adoption of AI-assisted malware development.

Created at: 2026-01-22T18:22:30.740000

Updated at: 2026-02-21T18:01:16.981000

Malicious Configuration Changes Observed On Fortinet FortiGate Devices via SSO Accounts

Description: A new cluster of automated malicious activity involving unauthorized firewall configuration changes on FortiGate devices has been observed. The activity includes creation of generic accounts for persistence, configuration changes granting VPN access, and exfiltration of firewall configurations. The campaign bears similarities to a previous one described in December 2025, involving SSO login activity for administrator accounts. While the initial access details are not fully confirmed, it may be related to previously disclosed SSO vulnerabilities (CVE-2025-59718 and CVE-2025-59719). The malicious activity involves SSO logins from specific hosting providers, followed by configuration exports and creation of secondary accounts for persistence. The events occur within seconds, suggesting automated activity.

Created at: 2026-01-22T00:39:37.387000

Updated at: 2026-02-21T11:00:35.105000

PurpleBravo’s Targeting of the IT Software Supply Chain

Description: PurpleBravo, a North Korean state-sponsored threat group, targets software developers through fake recruitment efforts, particularly in cryptocurrency and software development sectors. Their toolkit includes BeaverTail, PyLangGhost, and GolangGhost, designed for stealing browser credentials and cryptocurrency information. The group has affected 3,136 IP addresses, mainly in South Asia and North America, compromising 20 organizations across various industries. PurpleBravo's tactics include using fictitious personas, malicious GitHub repositories, and sophisticated malware to infiltrate IT services companies, posing a significant supply-chain risk. The group shows overlap with PurpleDelta, another North Korean threat actor, sharing infrastructure and operational patterns. PurpleBravo's focus on the IT sector in South Asia presents an overlooked threat to organizations outsourcing IT services.

Created at: 2026-01-21T22:26:37.394000

Updated at: 2026-02-20T22:00:28.736000

MIMICRAT: ClickFix Campaign Delivers Custom RAT via Compromised Legitimate Websites

Description: A sophisticated ClickFix campaign has been uncovered, compromising legitimate websites to deliver a multi-stage malware chain. The attack culminates in MIMICRAT, a custom remote access trojan with advanced capabilities. The campaign uses compromised sites across industries and geographies for delivery, employing a five-stage PowerShell chain that bypasses security measures before deploying a Lua-scripted shellcode loader. MIMICRAT, the final payload, is a native C++ RAT featuring malleable C2 profiles, Windows token theft, and SOCKS5 proxy functionality. The attack chain involves multiple compromised websites, obfuscated scripts, and sophisticated evasion techniques, demonstrating a high level of operational sophistication.

Created at: 2026-02-20T14:51:41.673000

Updated at: 2026-02-20T21:41:12.687000

ClickFix in action: how fake captcha can encrypt an entire company

Description: The report details a malware attack on a large Polish organization involving fake CAPTCHA techniques. It describes the initial infection vector, where users were tricked into running malicious code through a Windows+R shortcut. The analysis covers two main malware families: Latrodectus (version 2.3) and Supper. The report provides technical details on the malware's functionality, communication protocols, and persistence mechanisms. It also includes indicators of compromise, such as C2 server IP addresses and file hashes. The authors emphasize the importance of employee education and monitoring for unusual events to mitigate such threats.

Created at: 2026-02-19T15:26:28.037000

Updated at: 2026-02-20T14:52:01.160000

VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731)

Description: A critical remote code execution vulnerability (CVE-2026-1731) in BeyondTrust remote support software is being actively exploited. The flaw allows unauthenticated attackers to execute arbitrary OS commands with high privileges. Observed attacker activities include network reconnaissance, account creation, webshell deployment, C2 traffic, backdoor installation, lateral movement, and data theft. Affected sectors include finance, legal, technology, education, retail, and healthcare across multiple countries. Attackers are using tools like SparkRAT, VShell, and custom scripts for exploitation. The vulnerability is related to a similar one from 2024, highlighting the need for improved input validation and defense-in-depth strategies for remote access platforms.

Created at: 2026-02-20T00:28:19.348000

Updated at: 2026-02-20T13:13:53.979000

Zero-day in Dell RecoverPoint for Virtual Machines (CVE-2026-22769)

Description: A critical zero-day vulnerability in Dell RecoverPoint for Virtual Machines has been discovered and actively exploited. The flaw, identified as CVE-2026-22769, allows attackers to gain root-level access on affected systems. China-linked threat actor UNC6201 has been leveraging this vulnerability in targeted intrusions since mid-2024, deploying custom backdoors like GRIMBOLT and BRICKSTORM for persistence and further compromise. The vulnerability affects versions prior to 6.0.3.1 HF1. Organizations are urged to apply the security patch immediately or use the provided remediation script if patching is not possible. Detection indicators for the malware and network traffic have been provided to help identify potential compromises.

Created at: 2026-02-19T20:16:49.235000

Updated at: 2026-02-20T13:10:49.272000

Android threats using GenAI usher in a new era

Description: ESET researchers have discovered PromptSpy, the first known Android malware to abuse generative AI in its execution flow. This malware uses Google's Gemini AI to analyze screen content and provide instructions for UI manipulation, allowing it to adapt to various devices and layouts. PromptSpy's main purpose is to deploy a VNC module for remote access to the victim's device. It also abuses the Accessibility Service to block uninstallation, captures lockscreen data, and records video. The campaign appears to target users in Argentina and was likely developed in a Chinese-speaking environment. PromptSpy demonstrates how incorporating AI tools can make malware more dynamic and capable of real-time decision-making, potentially expanding the pool of potential victims.

Created at: 2026-02-19T20:16:49.814000

Updated at: 2026-02-20T13:09:45.403000