SpiderLabs Blog
Explore the latest threats, critical vulnerability disclosures, cutting-edge research, and intelligence from our elite global threat experts.
The Device Code Phishing Tsunami: What We’re Seeing in the Wild
June 09, 2026 | John Kevin Adriano
Stay Informed
Sign up to receive the latest security news and trends straight to your inbox from LevelBlue.
macOS ClickFix Social Engineering Campaigns
June 04, 2026 | Maor Gabay
Overview The "ClickFix" threat landscape has undergone a significant ...
ClickFix Is Now Hiring: From Job Platform Impersonation to Python-Based RAT Delivery
June 04, 2026 | King Orande and Cris Tomboc
The LevelBlue OpsIntel CTI team examined the latest version of the ClickFix ...
The Demon Arrives Later: A Havoc Stager Hides Behind Microsoft Defender DLP
June 03, 2026 | Jose Martin
In Brazil, Nota Fiscal eletrônica (NF-e) is the everyday name for an official ...
Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign
May 28, 2026 | Maor Gabay
We recently observed a multi-stage macOS intrusion campaign conducted by the ...
From WinRE to SYSTEM: Hunting CVE-2026-45585 Exploitation and the MiniPlasma Attack Chain
May 22, 2026 | Serhii Melnyk
Since April 2026, LevelBlue SpiderLabs’ Cyber Threat Intelligence team has ...
YellowKey and GreenPlasma: Two New Windows Zero-Days Unveiled
May 19, 2026 | James Ballantyne
Two novel Windows zero-day vulnerabilities dubbed YellowKey, which bypasses ...
A Closer Look at The Gentlemen’s Alleged Leak
May 18, 2026 | Arthur Erzberger
Executive Summary The Gentlemen is an active ransomware and extortion operation ...
Threat Analysis: Backdoored Electron Apps Evading Defenses
May 08, 2026 | Michael Morose
This Threat Analysis report is part of the “Purple Team Series” in which the ...
Unmasking a Multi-Stage Loader: AutoIt Abuse Leading to Vidar Stealer Command-and-Control Communication
May 07, 2026 | Mahadev Joshi
LevelBlue’s Security Services issues Threat Analysis reports to inform on ...
LevelBlue TTP Briefing Q1 2026: Trust Abuse Exposes Weaknesses
May 05, 2026
Explore the latest trends, techniques, and procedures (TTPs) our incident ...
Inside Vect Ransomware-as-a-Service
April 30, 2026 | SpiderLabs Researcher
Vect ransomware, a new group that emerged in January 2026, has recently begun ...
Crypto Drainers as a Converging Threat: Insights into Emerging Hybrid Attack Ecosystems
April 23, 2026 | Serhii Melnyk, King Orande, Cris Tomboc, Sean Shirley
LevelBlue SpiderLabs’ Cyber Threat Intelligence Team continues to observe a ...
A Closer Look at the Novel and Stealthy KarstoRAT Malware
April 21, 2026 | Chen Aviani
For almost three decades now, threat actors have used remote access trojans ...
Go With the Flow: Abusing OAuth Device Code Flow
April 20, 2026 | Jakub Wiewiorski
In early 2026, phishing attacks are still among the top contributors to the ...
RedSun and the Expanding Risk Window: Why Microsoft Defender Patching Can’t Wait
April 17, 2026
A newly disclosed zero-day vulnerability, dubbed RedSun, is raising fresh ...
Why Attackers Are Bypassing Phishing Emails and Targeting Identity Instead
April 13, 2026 | Jamie Mamroe
One of the fastest growing initial access techniques we are seeing right now is ...
Trojanized CPUID HWMonitor Installer Delivers Fileless .NET Payload via Obfuscated IPv6 Scriptlet
April 10, 2026 | Sean Shirley
Overview Recent reporting has identified a trojanized version of the CPUID ...
Axios NPM Package Supply Chain Compromise Leads to RAT Deployment
April 09, 2026 | Mahadev Joshi and Sho Kishimoto
KEY OBSERVATIONS Malicious Package Versions Identified: Malicious versions of ...
Err-Hiding and Seek: How ErrTraffic v3 Leverages EtherHiding in ClickFix Campaign
April 09, 2026 | King Orande and Cris Tomboc
The LevelBlue SpiderLabs team examined the latest version of ErrTraffic, which ...
Major Supply Chain Compromise in the Popular axios npm Package
April 03, 2026 | Karl Sigler
On March 30, 2026, two malicious versions of the widely used axios HTTP client ...
Using RF Power Levels to Defeat MAC Address Randomization Enabling Passive Device Tracking
March 31, 2026 | Tom Neaves
I came up with a theory (based on science) that it may be possible to passively ...
“Say My Name”: How MioLab is building MacOS Stealer Empire
March 20, 2026 | Mark Tsipershtein and Evgeny Ananin
As Apple computer’s market share continues to grow, threat actors are ...
Fake CAPTCHA Campaign: Inside a Multi-Stage Stealer Assault
March 19, 2026 | Shabtay Barel, Serhii Melnyk, Rodel Mendrez
This report expands LevelBlue’s ongoing investigation into a multi-stage ...
KongTuke: A King Among Threat Groups
March 18, 2026
This blog is the latest in a series that delves into the deep research ...
How LevelBlue OTX and Cybereason XDR Detected a North Korea-Linked Remote IT Worker
March 17, 2026 | Tue Luu
Talk about dodging the insider threat from hell. From August 15 to 25, 2025, ...
Epic Fury Update: Stryker Attack Highlights Handala's Shift from Espionage to Disruption
March 12, 2026 | Arthur Erzberger
On March 11, 2026, the medical technology vendor Stryker disclosed a global ...
Weaponizing Safe Links: Abuse of Multi-Layered URL Rewriting in Phishing Attacks
March 12, 2026 | John Kevin Adriano
In 2024, threat actors were already abusing URL rewriting mechanisms in ...