Qakbot 🦆🤖 takedown!!! Qakbot has been disrupted and dismantled by the FBI following a multinational effort. We will be assisting with the remediation - more info to follow... #malware #takedown #qakbot fbi.gov/news/stories/f…

In mid-August, the Sophos X-Ops Incident Response team was brought in to address a cyber incident impacting a telecommunications company.

🚩 RED FLAGS IN SOFTWARE ENGINEERS 🚩 -uses macOS -uses ChatGPT -drinks pour over coffee -can't reverse a linked list -uses more than 1 monitor -tries new languages for "fun" -doesn't push to prod on friday (live a little?) -works on side projects outside of work -actually does

The redteam when they do social engineering over the phone and the client download and execute the file "invoice.pdf.exe"

Check out our technical analysis for the latest version of #Pikabot, which has restructured the internal configuration, simplified the string encryption, and updated the network protocol. Blog link: zscaler.com/blogs/security…

Logging into Xitter and seeing thousands upon thousands of people, who have never written a single line of code their entire life and can barely use a computer, giving their expert input into kernel-mode programming

CTI professionals vs Malware Operators

❗Spamhaus Malware researchers have observed a malspam distributor previously associated with Darkgate / SSLoad targeting the Ukraine audience. The malspam impersonates State Tax of Ukraine, informing potential victims of "Illegal Activities" on their properties. 🔽

🚭 Introducing SmokeBuster, a general purpose tool for #SmokeLoader, which can detect and remediate infections for versions 2017 through 2022. During development, ThreatLabz also identified significant bugs in SmokeLoader that lead to degraded system performance. Read our full

nc -lvnp 4444 python -c 'import pty; pty.spawn("/bin/bash")'

North Korean threat actors are using the #ContagiousInterview and #WageMole campaigns to secure remote jobs in the West, bypassing sanctions with stolen data. ThreatLabz researchers have identified obfuscation enhancements, new Windows & macOS package formats, and over 100

Check out our technical analysis of #RaspberryRobin's multilayered approach to thwarting analysis and evading detection. Read the full technical analysis here: zscaler.com/blogs/security…

We've observed a #BumbleBee malspam campaign using Cisco AnyConnect as a lure 🪝👀 The malspam contains a PDF with a link to a fake AnyConnect installer. Once downloaded and executed, the payload will open Cisco AnyConnect on the Microsoft App Store to mask the BumbleBee

ThreatLabz has discovered a new malware family named #NodeLoader that abuses the Node.js framework to deliver second-stage payloads including Lumma Stealer, Phemedrone Stealer, and XMRig. NodeLoader currently has nearly zero antivirus and EDR detections. Read our technical

ThreatLabz has uncovered a new malware loader that we have named TransferLoader. Active since Feb 2025, TransferLoader uses advanced evasion techniques and control flow obfuscation along with a backdoor component that utilizes the InterPlanetary File System peer-to-peer platform

👮🛑Operation Endgame has once again simultaneously targeted multiple malware threat groups. One of the targets of the operation was DanaBot, which ThreatLabz has been tracking over the past 7 years. The group’s activity has included both criminal, and perhaps most interestingly,

A programming flaw in DanaBot's C2 server code introduced "DanaBleed", a memory leak exposing sensitive internal data between 2022 to 2025. Zscaler ThreatLabz has published a technical analysis that explores how the leak occurred, its impact, and the insights it revealed into

Zscaler ThreatLabz has discovered a new malware family that we named YiBackdoor which shares significant code overlaps with IcedID and Latrodectus. YiBackdoor enables threat actors to collect system information, take screenshots, execute arbitrary commands, and deploy plugins on

We’ve joined CISA Cyber & Canadian Centre for Cyber Security to attribute the broad campaign using BRICKSTORM to China state-sponsored cyber actors. Review the report for guidance on how to detect BRICKSTORM backdoor activity and improve your cybersecurity posture against this targeting. 🔗