A new malware campaign involving the Efimer Trojan has been observed targeting cryptocurrency users and WordPress site administrators. Efimer is a ClipBanker-type Trojan that steals and replaces cryptocurrency wallet addresses.

A sophisticated cyberattack campaign active from late 2024 to April 2025 targeted Russian IT firms and international entities using Cobalt Strike Beacon. The attackers employed spear phishing, DLL hijacking, and social media-based payload delivery.

A newly discovered backdoor malware dubbed GhostContainer is targeting Microsoft Exchange servers in high-value organizations across Asia. The malware is a .NET-based PE32 executable that leverages open-source tools and exploits CVE-2020-0688.

Zanubis is a sophisticated Android banking Trojan active since 2022, targeting Peruvian financial institutions. It masquerades as legitimate apps to trick users into granting accessibility permissions, enabling full device control.

Outlaw (also known as “Dota”) is a Perl-based crypto mining botnet that typically takes advantage of weak or default SSH credentials for its operations. Telemetry data showed victims across the US, Germany, Italy, Thailand, and more.

GOFFEE continued to launch targeted attacks against organizations in Russia, utilizing PowerTaskel, a non-public Mythic agent written in PowerShell, and introducing a new implant that researchers dubbed “PowerModul”.

In June 2022, Kaspersky researchers found a suspicious shellcode running in the memory of a system process. Based on their reconstruction of the infection chain, they determined that it originated from running an encoded PowerShell script as a task.

A newly discovered campaign related to the Bad Magic APT involved use of a modular framework dubbed CloudWizard. Its features include taking screenshots, microphone recording, keylogging, and more.

The threat actor targets government and diplomatic entities in the CIS. The few victims discovered in other regions (Middle East or Southeast Asia) turn out to be foreign representations of CIS countries, illustrating Tomiris’s narrow focus.

This threat cluster linked to the North Korean threat actor Lazarus is also known as Operation DreamJob or NukeSped. It's dubbed DeathNote after its malware payloads named Dn.dll or Dn64.dll.