🔒We have added another ransomware note to our repository for a new group calling themselves AiLock: github.com/ThreatLabz/ran…

☕ ThreatLabz has discovered a new sophisticated malware threat that we have named CoffeeLoader. The malware is a loader that implements numerous stealthy techniques to evade antivirus and EDRs via call stack spoofing, sleep obfuscation, and Windows fibers. The malware is also

ThreatLabz has uncovered a new malware loader that we have named TransferLoader. Active since Feb 2025, TransferLoader uses advanced evasion techniques and control flow obfuscation along with a backdoor component that utilizes the InterPlanetary File System peer-to-peer platform

⚡️ Zscaler ThreatLabz has identified a new Rhadamanthys version that is being distributed through CoffeeLoader with a new configuration structure. The changes include the addition of FastLZ compression for C2 URLs and a new Base64 custom character set. Sample hash:

👮🛑Operation Endgame has once again simultaneously targeted multiple malware threat groups. One of the targets of the operation was DanaBot, which ThreatLabz has been tracking over the past 7 years. The group’s activity has included both criminal, and perhaps most interestingly,

A programming flaw in DanaBot's C2 server code introduced "DanaBleed", a memory leak exposing sensitive internal data between 2022 to 2025. Zscaler ThreatLabz has published a technical analysis that explores how the leak occurred, its impact, and the insights it revealed into

BlackSuit ransomware's negotiation portal and data leak site are now displaying a seizure notice as part of Operation Checkmate.

⚡️ Zscaler ThreatLabz has identified a new Rhadamanthys variant that has changed the magic bytes for the configuration structure from RHA! to BEEF. Sample hash: eb5558d414c6f96efeb30db704734c463eb08758a3feacf452d743ba5f8fe662 Sample C2:

Zscaler ThreatLabz revisits Raspberry Robin in our latest analysis. Recent updates include enhanced obfuscation, a shift to ChaCha-20 encryption, a randomized RC4 key seed per campaign, and a new privilege escalation exploit (CVE-2024-38196). Check out our analysis:

ThreatLabz has identified two new SmokeLoader versions that are being used by multiple threat groups. These versions, which we refer to as version 2025 alpha and version 2025, fix significant bugs that previously caused significant performance degradation on an infected system.

Zscaler ThreatLabz has published a technical analysis of Zloader’s latest updates. The new Zloader versions (2.11.6.0 & 2.13.7.0) include a DNS-based C2 network protocol that is encrypted with a custom algorithm, additional code obfuscation, improved malware sandbox evasion, and

Zscaler ThreatLabz has discovered a new malware family that we named YiBackdoor which shares significant code overlaps with IcedID and Latrodectus. YiBackdoor enables threat actors to collect system information, take screenshots, execute arbitrary commands, and deploy plugins on

Danabot has resurfaced with version 669 after nearly a 6 month hiatus following the Operation Endgame law enforcement actions in May. The current C2s are the following: 62.60.226[.]146:443 62.60.226[.]154:443 80.64.19[.]39:443

🔃 TransferLoader has recently re-emerged with new samples. Example SHA256: e83ca6892e549b6d1e02e5eb20e7c5e5e5eec70efc40e7d616af7ee4c4b0db04 C2: https://restmonitoring[.]com/getfile HTTP headers User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) EU-Header: JDE03ML==

Zscaler ThreatLabz has discovered CVE-2025-50165 in the Microsoft Windows Graphics Component. With a CVSS score of 9.8, this vulnerability enables attackers to execute arbitrary code using a specially crafted JPEG image that can be triggered by any application that leverages the

Zscaler ThreatLabz has published a technical analysis of Matanbuchus version 3.0 and has observed recent deployments consistent with hands-on-keyboard ransomware operations. This new version of Matanbuchus implements a number of obfuscation techniques to evade detection such as

⚠️Matanbuchus has been continuously making changes to various components to evade AV/ML detection. The group is currently leveraging Microsoft Installer (MSI) files to drop the downloader module with some samples having zero detections: virustotal.com/gui/file/6a139… The C2 for this

Zscaler ThreatLabz has published a technical analysis of GuLoader's anti-analysis techniques that include complex exception-based control flow obfuscation. GuLoader purposefully triggers exceptions to redirect the malware's execution, and employs polymorphic code to dynamically

Zscaler ThreatLabz has published a technical analysis of Xloader versions 8.1 to 8.7 that covers new code obfuscation techniques that further complicate reverse engineering efforts. In addition, the blog provides an in-depth examination of Xloader’s convoluted network protocol

Zscaler ThreatLabz has observed a wave of ransomware attacks that share similar TTPs with prior BlackBasta initial access brokers. These attacks start with spam bombing followed by vishing via Microsoft Teams and Quick Assist to deploy malware. ThreatLabz has linked these attacks