Emergence Date Timeline Activity assessed as early as 2004–2007, with continuous development observed across multiple operational phases. 2004-2007 Origins Continuous Development Multiple Operational Phases Long-Running Campaign Attribution Assessment Strongly assessed as Iran-aligned, based on targeting patterns, infrastructure, language artifacts, and long-term strategic alignment. Iran-Aligned Targeting Patterns Infrastructure Analysis Language
DocuSign
TRENDING TOPICS JAN 07, 2026 DocuSign Impersonation Wave Leveraging Real-Time LogoKit Customization Group-IB has identified a sustained wave of DocuSign impersonation campaigns that leverage real-time page customization to deliver highly convincing credential-harvesting attacks. These campaigns abuse the trust users place in widely adopted business platforms by closely mimicking legitimate DocuSign
Zestix
TRENDING TOPICS JAN 06, 2026 Zestix Targets Credential-Driven Access to Corporate File-Sharing Data Hudson Rock reports that a threat actor known as Zestix has been advertising stolen corporate data tied to dozens of organizations, with activity pointing to compromised ShareFile, Nextcloud, and ownCloud environments. The likely entry point was employee
MONTHLY WRAP MONTHLY WRAP Overview December 2025 demonstrated a clear pivot toward trust-plane exploitation, with both criminal and state-aligned actors favoring legitimate platforms, built-in tooling, and familiar workflows over novel exploits. Campaigns increasingly abuse AI platforms, developer tools, cloud services
Kimwolf Botnet
TRENDING TOPICS JAN 05, 2026 Kimwolf Botnet Breaches Home Networks via Proxy Abuse, Infecting Over 2 Million Devices Security researchers are warning about the rapid expansion of the Kimwolf botnet, which has compromised more than two million devices worldwide by exploiting weaknesses in residential proxy services. Unlike traditional botnets that
RondoDoX
CVE-2025-54322 Critical Xspeeder SXZOS ≤2025-12-26 REMOTE CODE EXECUTION ROOT ACCESS Xspeeder SXZOS through 2025-12-26 allows root remote code execution via base64-encoded Python code in the chkid parameter to vLogin.py. The title and oIP parameters are also exploited, enabling complete system compromise with root-level privileges. Mitigation: Immediately update Xspeeder SXZOS
Infrastructure Pre-Positioning Volt Typhoon Primary Objective Pre-position access for potential disruption during conflict. Core Characteristics Credential abuse, edge device exploitation, LOTL techniques, OT-adjacent access, long-term persistence. Key Targets Energy, water, telecom, transportation. Volt Typhoon Pre-Positioning Disruption Capability Credential Abuse Edge Device Exploitation LOTL OT-Adjacent Access Energy Water Telecom Transportation Telecom
ErrTraffic
TRENDING TOPICS DEC 31, 2025 Update: The Industrialization of ClickFix Social Engineering Through ErrTraffic Researchers at HudsonRock have discovered ErrTraffic, a new ClickFix service that is currently being marketed for approximately $800 on Russian-language cybercrime forums. ErrTraffic lowers the barrier to entry for threat actors by providing a polished, SaaS-like
HoneyMyte APT
TRENDING TOPICS DEC 30, 2025 HoneyMyte APT Adopts Kernel-Mode Rootkit to Stealthily Deploy ToneShell Backdoor Kaspersky has identified a new HoneyMyte APT campaign that marks a significant escalation in technical sophistication, centered on the use of a kernel-mode mini-filter driver to deploy and protect malware. The malicious driver, signed with
Mycelial Mage
TRENDING TOPICS DEC 29, 2025 Tracing the Mycelial Mage Credential Theft Operation and Its Evolving Exfiltration Infrastructure Researchers found a credential theft operation, tracked here as Mycelial Mage, through sustained observation of phishing kit deployments beginning in early 2025. The activity centers on phishing pages designed to impersonate Microsoft Outlook
Cloudflare
TRENDING TOPICS DEC 24, 2025 Phishers Exploit Cloudflare Pages and Telegram to Scale Credential Theft Threat actors are increasingly abusing free developer hosting platforms, most notably Cloudflare Pages, to host highly convincing phishing portals that impersonate banking, insurance, and healthcare providers. These campaigns frequently leverage compromised legitimate websites as redirectors,
MacSync
TRENDING TOPICS DEC 23, 2025 MacSync Stealer Escalates macOS Risk Through Trusted App Abuse Jamf Threat Labs has identified a significant evolution in the MacSync Stealer malware that materially increases risk for macOS users by abusing Apple’s built-in trust mechanisms. In this campaign, the malware is delivered as a