Documents
0
Active Sources
0
CVEs
0
IOCs
0

Intelligence Feed

ALL BleepingComputer Check Point Cisco Talos CrowdStrike ESET Elastic Kaspersky Krebs Mandiant Microsoft Palo Alto Proofpoint Rapid7 Recorded Future SentinelOne THN
ALL CRITICAL HIGH MEDIUM LOW
Kimsuky targets organizations with PebbleDash-based tools
Securelist 14 May 2026 SEV 5/10
malware vulnerability Mustang Panda Lazarus
Disclosing new PebbleDash-based tools by Kimsuky | Securelist Dark mode Securelist menu English Russian Spanish Brazil Existing Customers Personal My Kaspersky Renew your product Update your product Customer support Business KSOS portal Kaspersky Business Hub Technical Support Knowledge Base Renew License Home Products Trials&Update Resource Center Kaspersky Next Small Business (1-50 employees) Medium Business (51-999 employees) Enterprise (1000+ employees) Securelist Threats Financial threats Mobile threats Web threats Secure environment (IoT) Vulnerabilities and exploits Spam and Phishing Industrial threats Categories APT reports Incidents Research Malware reports Spam and phishing reports Publications Kaspersky Security Bulletin Archive All Tags APT Logbook Webinars Statistics Encyclopedia Threats descriptions KSB 2021 About Us Company Transparency Corporate News Press Center Careers Sponsorships Policy Blog Contacts Partners Find a Partner Partner Program Content menu Close Subscribe Executive summary Background Initial access Deployed malware HelloDoor: first Rust-based PebbleDash variant httpMalice: latest backdoor variant of PebbleDash MemLoad downloads httpTroy AppleSeed HappyDoor Post-exploitation VSCode (launched by the JSE dropper) VSCode (launched by VSCode installer) DWAgent Infrastructure Victims Attribution Conclusion Indicators of compromise File hashes Domains and IPs Authors Sojun Ryu Over the past few months, we have conducted an in-depth analysis of specific activity clusters of Kimsuky (aka APT43, Ruby Sleet, Black Banshee, Sparkling Pisces, Velvet Chollima, and Springtail), a prolific Korean-speaking threat actor. Our research revealed notable tactical shifts throughout multiple phases of the group’s latest campaigns. Kimsuky has continuously introduced new malware variants based on the PebbleDash platform, a tool historically leveraged by the Lazarus Group but appropriated by Kimsuky since at least 2021.
State of ransomware in 2026
Securelist 12 May 2026 SEV 4/10
ransomware vulnerability Mustang Panda Kimsuky
Reviewing the trends in ransomware attacks in 2026 | Securelist Dark mode Securelist menu English Russian Spanish Brazil Existing Customers Personal My Kaspersky Renew your product Update your product Customer support Business KSOS portal Kaspersky Business Hub Technical Support Knowledge Base Renew License Home Products Trials&Update Resource Center Kaspersky Next Small Business (1-50 employees) Medium Business (51-999 employees) Enterprise (1000+ employees) Securelist Threats Financial threats Mobile threats Web threats Secure environment (IoT) Vulnerabilities and exploits Spam and Phishing Industrial threats Categories APT reports Incidents Research Malware reports Spam and phishing reports Publications Kaspersky Security Bulletin Archive All Tags APT Logbook Webinars Statistics Encyclopedia Threats descriptions KSB 2021 About Us Company Transparency Corporate News Press Center Careers Sponsorships Policy Blog Contacts Partners Find a Partner Partner Program Content menu Close Subscribe Ransomware attacks decline but remain a major threat The continued rise of EDR killers and defense evasion tooling The appearance of new families adopting post-quantum cryptography The shift to encryptionless extortion Industrialization of initial access (Access-as-a-Service) Ransomware developments on the dark web Law enforcement actions Top ransomware groups in 2025 New actors in 2026 Conclusion and protection recommendations Authors Fabio Assolini Marc Rivero Maher Yamout Darya Gorodilova With International Anti-Ransomware Day taking place on May 12, Kaspersky presents its annual report on the evolving global and regional ransomware cyberthreat landscape. Ransomware remains one of the most persistent and adaptive cyberthreats. In 2026: New families continue to emerge, adopting post-quantum cryptography ciphers .
CVE-2025-68670: discovering an RCE vulnerability in xrdp
Securelist 08 May 2026 SEV 7/10
vulnerability iot_ot_security Mustang Panda Kimsuky
CVE-2025-68670: an RCE vulnerability in the xrdp server | Securelist Dark mode Securelist menu English Russian Spanish Brazil Existing Customers Personal My Kaspersky Renew your product Update your product Customer support Business KSOS portal Kaspersky Business Hub Technical Support Knowledge Base Renew License Home Products Trials&Update Resource Center Kaspersky Next Small Business (1-50 employees) Medium Business (51-999 employees) Enterprise (1000+ employees) Securelist Threats Financial threats Mobile threats Web threats Secure environment (IoT) Vulnerabilities and exploits Spam and Phishing Industrial threats Categories APT reports Incidents Research Malware reports Spam and phishing reports Publications Kaspersky Security Bulletin Archive All Tags APT Logbook Webinars Statistics Encyclopedia Threats descriptions KSB 2021 About Us Company Transparency Corporate News Press Center Careers Sponsorships Policy Blog Contacts Partners Find a Partner Partner Program Content menu Close Subscribe Client data transmission via RDP CVE-2025-68670: an RCE vulnerability in xrdp PoC Protection against vulnerability exploitation Vulnerability remediation timeline Conclusion Authors Denis Skvortsov Dmitry Shmoylov In addition to KasperskyOS-powered solutions, Kaspersky offers various utility software to streamline business operations. For instance, users of Kaspersky Thin Client , an operating system for thin clients, can also purchase Kaspersky USB Redirector, a module that expands the capabilities of the xrdp remote desktop server for Linux. This module enables access to local USB devices, such as flash drives, tokens, smart cards, and printers, within a remote desktop session – all while maintaining connection security.
Exploits and vulnerabilities in Q1 2026
Securelist 07 May 2026 SEV 8/10
vulnerability apt Mustang Panda Kimsuky
The vulnerability landscape in Q1 2026 | Securelist Dark mode Securelist menu English Russian Spanish Brazil Existing Customers Personal My Kaspersky Renew your product Update your product Customer support Business KSOS portal Kaspersky Business Hub Technical Support Knowledge Base Renew License Home Products Trials&Update Resource Center Kaspersky Next Small Business (1-50 employees) Medium Business (51-999 employees) Enterprise (1000+ employees) Securelist Threats Financial threats Mobile threats Web threats Secure environment (IoT) Vulnerabilities and exploits Spam and Phishing Industrial threats Categories APT reports Incidents Research Malware reports Spam and phishing reports Publications Kaspersky Security Bulletin Archive All Tags APT Logbook Webinars Statistics Encyclopedia Threats descriptions KSB 2021 About Us Company Transparency Corporate News Press Center Careers Sponsorships Policy Blog Contacts Partners Find a Partner Partner Program Content menu Close Subscribe Statistics on registered vulnerabilities Exploitation statistics Windows and Linux vulnerability exploitation Most common published exploits Vulnerability exploitation in APT attacks C2 frameworks Notable vulnerabilities CVE-2026-21519: Desktop Window Manager vulnerability RegPwn (CVE-2026-21533): a system settings access control vulnerability CVE-2026-21514: a Microsoft Office vulnerability Clawdbot (CVE-2026-25253): an OpenClaw vulnerability CVE-2026-34070: LangChain framework vulnerability CVE-2026-22812: an OpenCode vulnerability Conclusion and advice Authors Alexander Kolesnikov During Q1 2026, the exploit kits leveraged by threat actors to target user systems expanded once again, incorporating new exploits for the Microsoft Office platform, as well as Windows and Linux operating systems. In this report, we dive into the statistics on published vulnerabilities and exploits, as well as the known vulnerabilities leveraged by popular C2 frameworks throughout Q1 2026. Statistics on registered vulnerabilities This section provides statistical data on registered vulnerabilities.
OceanLotus suspected of using PyPI to deliver ZiChatBot malware
Securelist 06 May 2026 SEV 5/10
malware supply_chain Mustang Panda Kimsuky
OceanLotus suspected of distributing ZiChatBot malware via wheel packages in PyPI | Securelist Dark mode Securelist menu English Russian Spanish Brazil Existing Customers Personal My Kaspersky Renew your product Update your product Customer support Business KSOS portal Kaspersky Business Hub Technical Support Knowledge Base Renew License Home Products Trials&Update Resource Center Kaspersky Next Small Business (1-50 employees) Medium Business (51-999 employees) Enterprise (1000+ employees) Securelist Threats Financial threats Mobile threats Web threats Secure environment (IoT) Vulnerabilities and exploits Spam and Phishing Industrial threats Categories APT reports Incidents Research Malware reports Spam and phishing reports Publications Kaspersky Security Bulletin Archive All Tags APT Logbook Webinars Statistics Encyclopedia Threats descriptions KSB 2021 About Us Company Transparency Corporate News Press Center Careers Sponsorships Policy Blog Contacts Partners Find a Partner Partner Program Content menu Close Subscribe Introduction Technical details Spreading Malicious wheel packages Initial infection Windows version Dropper for ZiChatBot Linux version ZiChatBot Infrastructure Victims Attribution Conclusions Indicators of compromise Authors GReAT Introduction Through our daily threat hunting, we noticed that, beginning in July 2025, a series of malicious wheel packages were uploaded to PyPI (the Python Package Index). We shared this information with the public security community, and the malware was removed from the repository. We submitted the samples to Kaspersky Threat Attribution Engine (KTAE) for analysis.
Websites with an undefined trust level: avoiding the trap
Securelist 06 May 2026 SEV 4/10
iot_ot_security phishing Mustang Panda Kimsuky
How to spot a suspicious website | Securelist Dark mode Securelist menu English Russian Spanish Brazil Existing Customers Personal My Kaspersky Renew your product Update your product Customer support Business KSOS portal Kaspersky Business Hub Technical Support Knowledge Base Renew License Home Products Trials&Update Resource Center Kaspersky Next Small Business (1-50 employees) Medium Business (51-999 employees) Enterprise (1000+ employees) Securelist Threats Financial threats Mobile threats Web threats Secure environment (IoT) Vulnerabilities and exploits Spam and Phishing Industrial threats Categories APT reports Incidents Research Malware reports Spam and phishing reports Publications Kaspersky Security Bulletin Archive All Tags APT Logbook Webinars Statistics Encyclopedia Threats descriptions KSB 2021 About Us Company Transparency Corporate News Press Center Careers Sponsorships Policy Blog Contacts Partners Find a Partner Partner Program Content menu Close Subscribe Executive summary Introduction The dangers of shady websites Common types of suspicious sites How to identify suspicious or fraudulent websites Visual and manual clues Technical indicators to check How to protect yourself Tools and databases for detecting suspicious websites Preventive measures An overview of detection statistics for sites with an undefined trust level Most visited suspicious sites Africa MENA Latin America East Asia South Asia CIS Europe Canada Oceania Conclusion Authors Lama Saqqour Anna Larkina Executive summary A suspicious website is a web resource that cannot be definitively classified as phishing, but whose activities are unsafe. Such sites manipulate users, tricking them into voluntarily transferring money for non-existent services, signing up for hidden subscriptions, or disclosing personal data through carefully crafted terms of service. These include fake online stores, dubious crypto exchanges, investment platforms, and services with paid subscriptions.
“Legitimate” phishing: how attackers weaponize Amazon SES to bypass email security
Securelist 04 May 2026 SEV 4/10
phishing malware Mustang Panda Kimsuky
Phishing campaigns and BEC attacks through Amazon SES | Securelist Dark mode Securelist menu English Russian Spanish Brazil Existing Customers Personal My Kaspersky Renew your product Update your product Customer support Business KSOS portal Kaspersky Business Hub Technical Support Knowledge Base Renew License Home Products Trials&Update Resource Center Kaspersky Next Small Business (1-50 employees) Medium Business (51-999 employees) Enterprise (1000+ employees) Securelist Threats Financial threats Mobile threats Web threats Secure environment (IoT) Vulnerabilities and exploits Spam and Phishing Industrial threats Categories APT reports Incidents Research Malware reports Spam and phishing reports Publications Kaspersky Security Bulletin Archive All Tags APT Logbook Webinars Statistics Encyclopedia Threats descriptions KSB 2021 About Us Company Transparency Corporate News Press Center Careers Sponsorships Policy Blog Contacts Partners Find a Partner Partner Program Content menu Close Subscribe Introduction The dangers of Amazon SES abuse How compromise happens Examples of phishing with Amazon SES Amazon SES and BEC Takeaways Authors Roman Dedenok Introduction The primary goal for attackers in a phishing campaign is to bypass email security and trick the potential victim into revealing their data. To achieve this, scammers employ a wide range of tactics, from redirect links to QR codes. Additionally, they heavily rely on legitimate sources for malicious email campaigns.
Silver Fox uses the new ABCDoor backdoor to target organizations in Russia and India
Securelist 30 Apr 2026 SEV 5/10
malware ransomware Mustang Panda Kimsuky
Analyzing the Silver Fox tax campaign and the new ABCDoor backdoor | Securelist Dark mode Securelist menu English Russian Spanish Brazil Existing Customers Personal My Kaspersky Renew your product Update your product Customer support Business KSOS portal Kaspersky Business Hub Technical Support Knowledge Base Renew License Home Products Trials&Update Resource Center Kaspersky Next Small Business (1-50 employees) Medium Business (51-999 employees) Enterprise (1000+ employees) Securelist Threats Financial threats Mobile threats Web threats Secure environment (IoT) Vulnerabilities and exploits Spam and Phishing Industrial threats Categories APT reports Incidents Research Malware reports Spam and phishing reports Publications Kaspersky Security Bulletin Archive All Tags APT Logbook Webinars Statistics Encyclopedia Threats descriptions KSB 2021 About Us Company Transparency Corporate News Press Center Careers Sponsorships Policy Blog Contacts Partners Find a Partner Partner Program Content menu Close Subscribe Email campaign RustSL loader Silver Fox RustSL The steganography.rs module Encrypted malicious payload format The guard.rs module Phantom Persistence Attack chain and payloads Custom ValleyRAT modules ABCDoor Python backdoor ABCDoor versions Evolution of ABCDoor distribution methods Victims Conclusion Detection by Kaspersky solutions Indicators of compromise Authors Anton Kargin Vladimir Gursky Victoria Vlasova Anna Lazaricheva In December 2025, we detected a wave of malicious emails designed to look like official correspondence from the Indian tax service. A few weeks later, in January 2026, a similar campaign began targeting Russian organizations. We have attributed this activity to the Silver Fox threat group.
PhantomRPC: A new privilege escalation technique in Windows RPC
Securelist 24 Apr 2026 SEV 4/10
vulnerability phishing Mustang Panda Kimsuky
Disclosing PhantomRPC – a privilege escalation vulnerability in RPC | Securelist Dark mode Securelist menu English Russian Spanish Brazil Existing Customers Personal My Kaspersky Renew your product Update your product Customer support Business KSOS portal Kaspersky Business Hub Technical Support Knowledge Base Renew License Home Products Trials&Update Resource Center Kaspersky Next Small Business (1-50 employees) Medium Business (51-999 employees) Enterprise (1000+ employees) Securelist Threats Financial threats Mobile threats Web threats Secure environment (IoT) Vulnerabilities and exploits Spam and Phishing Industrial threats Categories APT reports Incidents Research Malware reports Spam and phishing reports Publications Kaspersky Security Bulletin Archive All Tags APT Logbook Webinars Statistics Encyclopedia Threats descriptions KSB 2021 About Us Company Transparency Corporate News Press Center Careers Sponsorships Policy Blog Contacts Partners Find a Partner Partner Program Content menu Close Subscribe Intro MSRPC Impersonation in Windows Interaction between Group Policy service and TermService Coercing the Group Policy service RPC architecture flow Identifying RPC calls to unavailable servers Additional privilege escalation paths User interaction: From Edge to RDP Background services: From WDI to RDP Abusing the Local Service account: From ipconfig to DHCP Abusing Time Vulnerability disclosure Detection and defense Conclusion Authors Haidar Kabibo Intro Windows Interprocess Communication (IPC) is one of the most complex technologies within the Windows operating system. At the core of this ecosystem is the Remote Procedure Call (RPC) mechanism, which can function as a standalone communication channel or as the underlying transport layer for more advanced interprocess communication technologies. Because of its complexity and widespread use, RPC has historically been a rich source of security issues.
FakeWallet crypto stealer spreading through iOS apps in the App Store
Securelist 20 Apr 2026 SEV 5/10
malware phishing Mustang Panda Kimsuky
FakeWallet crypto stealer spreading in the App Store | Securelist Dark mode Securelist menu English Russian Spanish Brazil Existing Customers Personal My Kaspersky Renew your product Update your product Customer support Business KSOS portal Kaspersky Business Hub Technical Support Knowledge Base Renew License Home Products Trials&Update Resource Center Kaspersky Next Small Business (1-50 employees) Medium Business (51-999 employees) Enterprise (1000+ employees) Securelist Threats Financial threats Mobile threats Web threats Secure environment (IoT) Vulnerabilities and exploits Spam and Phishing Industrial threats Categories APT reports Incidents Research Malware reports Spam and phishing reports Publications Kaspersky Security Bulletin Archive All Tags APT Logbook Webinars Statistics Encyclopedia Threats descriptions KSB 2021 About Us Company Transparency Corporate News Press Center Careers Sponsorships Policy Blog Contacts Partners Find a Partner Partner Program Content menu Close Subscribe Technical details Background Malicious modules for hot wallets The Ledger wallet malicious module Other distribution channels, platforms, and the SparkKitty link Victims Attribution Conclusion Indicators of compromise Authors Sergey Puzan In March 2026, we uncovered more than twenty phishing apps in the Apple App Store masquerading as popular crypto wallets. Once launched, these apps redirect users to browser pages designed to look similar to the App Store and distributing trojanized versions of legitimate wallets. The infected apps are specifically engineered to hijack recovery phrases and private keys.