Research
-
Arkanix Stealer MaaS advertised on forums targeted 22 browsers and crypto wallets
Kaspersky analysis found Arkanix Stealer marketed in October 2025 as malware as a service. The campaign used Python and native loaders to harvest data from 22 browsers, gaming clients and crypto wallets before the panel was taken down.
-
MuddyWater launches Operation Olalampo targeting MENA with new Rust backdoor and loaders
A technical analysis by Group-IB found Iranian-linked MuddyWater launched Operation Olalampo on January 26, 2026 targeting MENA organisations. The campaign uses downloaders GhostFetch and HTTP_VIP, Rust backdoor CHAR and GhostBackDoor.
-
Malicious NPM package hides Pulsar RAT inside PNG images using steganography and obfuscated dropper
A malicious NPM package ‘buildrunner-dev’ downloads an obfuscated batch loader and hides encrypted payloads inside PNG images. Extraction recovered a .NET loader and a Pulsar RAT embedded via steganography.
-
ClickFix campaign uses compromised sites to deliver new MIMICRAT remote access trojan
A ClickFix campaign abused compromised legitimate sites to install MIMICRAT, a previously undocumented C++ remote access trojan. The multi-stage PowerShell chain drops a Lua loader and the RAT supports 22 commands.
-
Critical Grandstream GXP1600 flaw allows root takeover and silent eavesdropping
A critical stack overflow in Grandstream GXP1600 VoIP phones allows unauthenticated remote root access and silent eavesdropping. CVE-2026-2329 is rated 9.3. Firmware 1.0.7.81 fixes the vulnerability.
-
Massiv Android trojan hides in IPTV droppers to enable device takeover and banking fraud
Researchers published a technical analysis of Massiv, an Android trojan spread as IPTV droppers that enables remote device takeover, screen streaming and overlays to steal banking credentials. Initial campaigns targeted Portugal and Greece in early 2025.
-
CRESCENTHARVEST campaign uses deceptive .LNK files to deploy RAT against Iran protest supporters
CRESCENTHARVEST used RAR archives and deceptive .LNK files to deliver a remote access trojan and data stealer to Farsi speaking supporters of Iran protests. It is not known if any infections succeeded.
-
Critical unauthenticated RCE in Grandstream GXP1600 VoIP phones tracked as CVE-2026-2329
Critical unauthenticated buffer overflow in Grandstream GXP1600 VoIP phones CVE-2026-2329 scores 9.3 and allows unauthenticated remote root execution. A vendor firmware update addresses the flaw.
-
Critical flaws found in four Visual Studio Code extensions
Researchers disclosed multiple high severity vulnerabilities in four popular Visual Studio Code extensions with more than 125 million installs. Several flaws remain unpatched and one extension was silently fixed by Microsoft in version 0.4.16.
-
China-linked group exploited Dell RecoverPoint zero-day
Researchers found UNC6201 exploiting a hardcoded-password zero-day in Dell RecoverPoint for VMs since mid-2024, enabling root access. A vendor advisory and patch were issued. The campaign shifted from Brickstorm to a stealthier Grimbolt backdoor.
