A sophisticated espionage campaign by the SideWinder APT group targets Indian entities by impersonating the Income Tax Department of India. The campaign uses advanced techniques such as DLL side-loading with legitimate Microsoft Defender binaries.

BlindEagle, a threat actor operating in South America, has launched a sophisticated spear phishing campaign targeting a Colombian government agency under the Ministry of Commerce, Industry and Tourism (MCIT).

A new SEO poisoning campaign is targeting users searching for Ivanti Pulse Secure VPN software, redirecting them to attacker-controlled sites hosting a trojanized installer. The malware steals VPN credentials and exfiltrates them to a C2 server.

A new malware family named YiBackdoor has been identified, exhibiting strong code overlaps with IcedID and Latrodectus. YiBackdoor can execute arbitrary commands, collecting system information, capturing screenshots, and deploying encrypted plugins.

Threat actors are exploiting the popularity of AI tools by using Black Hat SEO to poison search engine results and Vidar Stealer, Lumma Stealer, and Legion Loader through complex redirection chains and obfuscated JavaScript.

TransferLoader is a newly identified malware loader active since at least February 2025. It comprises three main components—a downloader, a backdoor loader, and a backdoor—each employing advanced anti-analysis and obfuscation techniques.

Mustang Panda, a China-linked APT group, has expanded its malware arsenal with PAKLOG and CorKLOG and an EDR evasion driver named SplatCloak. The malware is delivered via RAR archives containing legitimate signed binaries and malicious DLLs.

Xloader is known for its ability to steal sensitive information from web browsers, email clients, and FTP applications, as well as deploy second-stage payloads on infected systems.

RiseLoader is a new malware loader family that was first observed in October 2024. The malware implements a custom TCP-based binary network protocol that is similar to RisePro.

NodeLoader uses a module called sudo-prompt, a publicly available tool on GitHub and NPM, for privilege escalation. The malware delivered by NodeLoader includes cryptocurrency miners and information stealers.