Kaspersky
-
DAEMON Tools installers trojanized in supply chain attack, Kaspersky says
DAEMON Tools installers were trojanized in a supply chain attack that affected versions released since April 8, 2026, Kaspersky said. The compromise reached users in more than 100 countries and delivered targeted malware to a small set of hosts.
-
JanelaRAT malware targets banks in Brazil and Mexico, Kaspersky says
JanelaRAT malware has targeted banks and financial institutions in Brazil and Mexico, with Kaspersky recording more than 26,000 attacks there in 2025. The trojan can steal credentials, track activity and use browser extensions for fraud.
-
Kaspersky links Coruna iOS exploit framework to Operation Triangulation, finds expanded targets
Kaspersky researchers say the Coruna exploit framework is an updated successor to the Operation Triangulation toolkit, adding support for A17 and M3 chips and iOS up to 17.2, and that its components include multiple exploit chains used in both espionage and financially motivated attacks.
-
Mustang Panda deploys updated COOLCLIENT backdoor to steal endpoint data
An updated COOLCLIENT backdoor linked to Mustang Panda was used in 2025 to steal keystrokes, browser credentials and files from government endpoints across Myanmar, Mongolia, Malaysia and Russia, according to a technical analysis by Kaspersky.
-
China-linked APT used DNS poisoning to deliver MgBot backdoor, Kaspersky says
Kaspersky linked a China-aligned APT known as Evasive Panda to a campaign from November 2022 to November 2024 that used DNS poisoning to deliver an MgBot backdoor to targets in Türkiye, China and India, employing staged loaders, custom encryption and host-specific payloads.
-
Kaspersky links new Operation ForumTroll phishing wave to targeted attacks on Russian academics
Kaspersky detected a targeted October 2025 phishing campaign tied to Operation ForumTroll that used eLibrary impersonation and personalized one‑time links to deliver a PowerShell chain and the Tuoni remote access framework to academics in Russia; the group’s origins remain unknown.
-
CISA sets Dec. 12 deadline to patch React2Shell RSC flaw amid widespread exploitation
CISA has set a December 12 deadline for federal agencies to patch the critical React2Shell RSC vulnerability CVE-2025-55182 after widespread exploitation was observed; security firms report rapid, opportunistic scans and attacks against Next.js and other internet-facing services.
-
Kaspersky: Tomiris APT increasingly uses Telegram and Discord as command-and-control channels
Kaspersky researchers reported that the Tomiris threat actor has targeted diplomatic and government entities, increasingly using public services like Telegram and Discord as command-and-control channels and deploying multi-language implants and open-source C2 frameworks.
-
Kaspersky flags expanding ‘Tsundere’ botnet that uses Ethereum to host C2 details
Kaspersky researchers have identified an expanding Windows-targeting botnet called Tsundere that deploys a Node.js-based payload via MSI or PowerShell, retrieves C2 details from the Ethereum blockchain and offers a control panel and marketplace for operators; attribution remains unclear.
-
Kaspersky links Chrome zero-day campaign to Italian spyware firm Memento Labs
Kaspersky detailed Operation ForumTroll, a campaign that used a Chrome sandbox escape (CVE-2025-2783) to deliver modular spyware LeetAgent and a second implant called Dante, which researchers attribute with high confidence to Memento Labs, a firm formed from assets of the former Hacking Team.
