Malware
BlackCat (ALPHV) — Ransomware’s Fall and the Clones That Followed
BlackCat (ALPHV) pushed ransomware evolution: polished extortion flows, strong encryption, and a mature affiliate model. This post dissects its internals, TTPs, detection artefacts, and the wave of copycats that follo...
From JSON Keeper to TsunamiKit — Inside the BeaverTail & InvisibleFerret Attack Chain
North Korean threat actors are now abusing fake API keys, JSON Keeper blobs, and GitHub-hosted Node.js projects to deliver a JavaScript loader known as BeaverTail, which drops a Python backdoor (InvisibleFerret) and a...
Rhadamanthys — Modular Malware Done Right (For the Wrong Reasons)
A deep dive into Rhadamanthys, the stealer-loader hybrid redefining modular malware design. We explore its internal architecture, infection vectors, and what defenders can learn from its engineering.
AI-Powered Malware: Dynamic Code Generation and the Rise of Adaptive Threats
A new class of malware is emerging — one that uses AI models to generate, modify, and obfuscate code on demand. This post explores how attackers are weaponizing language models, what this means for detection, and how ...
Lumma Stealer — The Credential Bandit That Won’t Die
Once a low-tier stealer, Lumma evolved into one of 2025’s most persistent credential-harvesting threats. We dissect its infection flow, internal structure, and defense strategies from both blue-team and forensic persp...
ClickFix Malware Campaign — How Fake Verifications Lead to Real Compromise
A new wave of attacks uses fake 'I'm not a robot' pages and clipboard tricks to make users infect themselves. Here's how it works, what it looks like, and how both users and security teams can respond.
When `npm install` Gets You Hacked: The Chollima‑Style Job Scam and How Developers Can Defend Themselves
A deep dive into how attackers weaponize faux 'job challenge' repos and poisoned npm workflows, why developers fall for them, and practical, non‑destructive defenses.
Malvertising – When Ads Deliver Malware
Malvertising has evolved into one of the most dangerous attack vectors of 2025. This guide traces its origins, explains how poisoned ads work, dissects real campaigns, and provides detailed defense strategies for both...
RaccoonO365: Inside the Global Phishing-as-a-Service Takedown
Microsoft and Cloudflare dismantled RaccoonO365, a $355/month phishing-as-a-service empire that stole 5,000+ Microsoft 365 credentials across 94 countries. This deep dive explains how the service operated, the scale o...
When the Foundation Cracks: Inside the 2025 NPM Supply Chain Attack
A phishing lure, a stolen maintainer account, and 18 poisoned NPM packages: the September 2025 supply chain attack is the most widespread compromise in NPM history. This deep dive explains what NPM is, how dependency ...
Shortcut to Infection: XenoRAT via Malicious .lnk → WSF → Python
A fake invoice lure leads to a shortcut (.lnk) that fetches a WSF, stages dual ZIP archives (me.zip, deb.zip), and launches pythonw.exe from the user’s Contacts directory. Explorer.exe then takes over network comms, c...
Masquerading with “ん”: A clever Unicode trick in Booking.com phishing campaigns
Hiragana 'ん' used in URL paths to evade filters and trick users — plus FakeCaptcha and HijackLoader payloads. In the wild we see FakeCaptcha gates leading to HijackLoader payloads, stitched into refund-lure phishing t...