SpiderLabs Blog
Explore the latest threats, critical vulnerability disclosures, cutting-edge research, and intelligence from our elite global threat experts.
Crypto Drainers as a Converging Threat: Insights into Emerging Hybrid Attack Ecosystems
April 23, 2026 | Serhii Melnyk, King Orande, Cris Tomboc, Sean Shirley
Stay Informed
Sign up to receive the latest security news and trends straight to your inbox from LevelBlue.
A Closer Look at the Novel and Stealthy KarstoRAT Malware
April 21, 2026 | Chen Aviani
For almost three decades now, threat actors have used remote access trojans ...
Go With the Flow: Abusing OAuth Device Code Flow
April 20, 2026 | Jakub Wiewiorski
In early 2026, phishing attacks are still among the top contributors to the ...
RedSun and the Expanding Risk Window: Why Microsoft Defender Patching Can’t Wait
April 17, 2026
A newly disclosed zero-day vulnerability, dubbed RedSun, is raising fresh ...
Why Attackers Are Bypassing Phishing Emails and Targeting Identity Instead
April 13, 2026 | Jamie Mamroe
One of the fastest growing initial access techniques we are seeing right now is ...
Trojanized CPUID HWMonitor Installer Delivers Fileless .NET Payload via Obfuscated IPv6 Scriptlet
April 10, 2026 | Sean Shirley
Overview Recent reporting has identified a trojanized version of the CPUID ...
Axios NPM Package Supply Chain Compromise Leads to RAT Deployment
April 09, 2026 | Mahadev Joshi and Sho Kishimoto
KEY OBSERVATIONS Malicious Package Versions Identified: Malicious versions of ...
Err-Hiding and Seek: How ErrTraffic v3 Leverages EtherHiding in ClickFix Campaign
April 09, 2026 | King Orande and Cris Tomboc
The LevelBlue SpiderLabs team examined the latest version of ErrTraffic, which ...
Major Supply Chain Compromise in the Popular axios npm Package
April 03, 2026 | Karl Sigler
On March 30, 2026, two malicious versions of the widely used axios HTTP client ...
Using RF Power Levels to Defeat MAC Address Randomization Enabling Passive Device Tracking
March 31, 2026 | Tom Neaves
I came up with a theory (based on science) that it may be possible to passively ...
“Say My Name”: How MioLab is building MacOS Stealer Empire
March 20, 2026 | Mark Tsipershtein and Evgeny Ananin
As Apple computer’s market share continues to grow, threat actors are ...
Fake CAPTCHA Campaign: Inside a Multi-Stage Stealer Assault
March 19, 2026 | Shabtay Barel, Serhii Melnyk, Rodel Mendrez
This report expands LevelBlue’s ongoing investigation into a multi-stage ...
KongTuke: A King Among Threat Groups
March 18, 2026
This blog is the latest in a series that delves into the deep research ...
How LevelBlue OTX and Cybereason XDR Detected a North Korea-Linked Remote IT Worker
March 17, 2026 | Tue Luu
Talk about dodging the insider threat from hell. From August 15 to 25, 2025, ...
Epic Fury Update: Stryker Attack Highlights Handala's Shift from Espionage to Disruption
March 12, 2026 | Arthur Erzberger
On March 11, 2026, the medical technology vendor Stryker disclosed a global ...
Weaponizing Safe Links: Abuse of Multi-Layered URL Rewriting in Phishing Attacks
March 12, 2026 | John Kevin Adriano
In 2024, threat actors were already abusing URL rewriting mechanisms in ...
Beware the ClickFix Trap: REMCOS RAT Hiding in “Helpful” PUAs
March 09, 2026 | Hema Loganathan
Cybereason GSOC has observed a notable increase in infections involving REMCOS ...
LevelBlue SpiderLabs Breaks Down the Role of Cyber Operations Taken in the Iran Crisis
March 04, 2026 | Gal Romano
As combat operations that began on February 28 with joint US-Israeli strikes on ...
Operation Epic Fury: From Regional Escalation to Global Cyber Risk
March 03, 2026 | LevelBlue SpiderLabs
In light of escalating geopolitical tensions involving the United States, ...
From Shadow IT to GhostOps: The Rise of Unauthorized AI Agents in the Enterprise
February 24, 2026 | Grant Hutchons
If you have worked in enterprise IT for long enough, you have lived through the ...
How ClickFix Opens the Door to Stealthy StealC Information Stealer
February 12, 2026 | Rodel Mendrez
This analysis examines a complete attack chain targeting Windows systems ...
Stealerium Unmasked: Inside a Multi-Lure, Multi-Stage Stealer Campaign
February 11, 2026 | Bernard Bautista
In this investigation, we tracked a malware spam campaign that ultimately ...
Notepad-Plus Fuss: Notepad++ Supply Chain Attack Analysis
February 10, 2026 | King Orande
LevelBlue SpiderLabs’ Cyber Threat Intelligence Team investigated the ongoing ...
LockBit 5.0 Introduces New Features: ChaCha20 Encryption, Stealthy Installation, and Anti-Analysis to Target Windows, Linux, and ESXi Environments
January 30, 2026 | SpiderLabs Researcher
The prolific LockBit ransomware-as-a-service (RaaS) group shows its dedication ...
19 Shades of LockBit5.0, Inside the Latest Cross-Platform Ransomware’s Newest Leaked Samples: Part 1
January 30, 2026 | Mark Tsipershtein, Evgeny Ananin, Nikita Kazymirskyi
This three-part blog series presents an analysis of 19 samples of a ...
Scenario 3: SOC/SIEM Takes in and Summarizes Windows Events (Log Files)
January 29, 2026 | Tom Neaves
In September last year I penned this blog Rogue AI Agents In Your SOCs and ...
CVE-2009-0556: The 2009 PowerPoint Bug that Refuses to Die
January 23, 2026 | Messiah Dela Cruz
In 2009, LevelBlue Vice President of Security Research Ziv Mador and Cristian ...
BEC Email Trends: Attacks up 15% in 2025
January 13, 2026 | Katrina Udquin
Business Email Compromise (BEC) is a sophisticated form of phishing attack in ...