SpiderLabs Blog
Explore the latest threats, critical vulnerability disclosures, cutting-edge research, and intelligence from our elite global threat experts.
The Device Code Phishing Tsunami: What We’re Seeing in the Wild
June 09, 2026 | John Kevin Adriano
Stay Informed
Sign up to receive the latest security news and trends straight to your inbox from LevelBlue.
macOS ClickFix Social Engineering Campaigns
June 04, 2026 | Maor Gabay
Overview The "ClickFix" threat landscape has undergone a significant ...
The Demon Arrives Later: A Havoc Stager Hides Behind Microsoft Defender DLP
June 03, 2026 | Jose Martin
In Brazil, Nota Fiscal eletrônica (NF-e) is the everyday name for an official ...
Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign
May 28, 2026 | Maor Gabay
We recently observed a multi-stage macOS intrusion campaign conducted by the ...
From WinRE to SYSTEM: Hunting CVE-2026-45585 Exploitation and the MiniPlasma Attack Chain
May 22, 2026 | Serhii Melnyk
Since April 2026, LevelBlue SpiderLabs’ Cyber Threat Intelligence team has ...
YellowKey and GreenPlasma: Two New Windows Zero-Days Unveiled
May 19, 2026 | James Ballantyne
Two novel Windows zero-day vulnerabilities dubbed YellowKey, which bypasses ...
Inside Vect Ransomware-as-a-Service
April 30, 2026 | SpiderLabs Researcher
Vect ransomware, a new group that emerged in January 2026, has recently begun ...
Hacking Hotels via Smart Stationary Bikes: How Unsecured Gym Equipment Can Lead to RCE
April 29, 2026 | John Lopez
Internet of Things (IoT) systems in hospitality environments are often ...
Go With the Flow: Abusing OAuth Device Code Flow
April 20, 2026 | Jakub Wiewiorski
In early 2026, phishing attacks are still among the top contributors to the ...
RedSun and the Expanding Risk Window: Why Microsoft Defender Patching Can’t Wait
April 17, 2026
A newly disclosed zero-day vulnerability, dubbed RedSun, is raising fresh ...
Why Attackers Are Bypassing Phishing Emails and Targeting Identity Instead
April 13, 2026 | Jamie Mamroe
One of the fastest growing initial access techniques we are seeing right now is ...
Err-Hiding and Seek: How ErrTraffic v3 Leverages EtherHiding in ClickFix Campaign
April 09, 2026 | King Orande and Cris Tomboc
The LevelBlue SpiderLabs team examined the latest version of ErrTraffic, which ...
Major Supply Chain Compromise in the Popular axios npm Package
April 03, 2026 | Karl Sigler
On March 30, 2026, two malicious versions of the widely used axios HTTP client ...
Using RF Power Levels to Defeat MAC Address Randomization Enabling Passive Device Tracking
March 31, 2026 | Tom Neaves
I came up with a theory (based on science) that it may be possible to passively ...
Fake CAPTCHA Campaign: Inside a Multi-Stage Stealer Assault
March 19, 2026 | Shabtay Barel, Serhii Melnyk, Rodel Mendrez
This report expands LevelBlue’s ongoing investigation into a multi-stage ...
Discover and Exploit: Memory Corruption in CUPS (CVE-2025-61915)
March 05, 2026 | Ariel Silver
CVE-2025-61915 is a stack based out-of-bound write bug in CUPS. An unauthorized ...
From Shadow IT to GhostOps: The Rise of Unauthorized AI Agents in the Enterprise
February 24, 2026 | Grant Hutchons
If you have worked in enterprise IT for long enough, you have lived through the ...
How ClickFix Opens the Door to Stealthy StealC Information Stealer
February 12, 2026 | Rodel Mendrez
This analysis examines a complete attack chain targeting Windows systems ...
Notepad-Plus Fuss: Notepad++ Supply Chain Attack Analysis
February 10, 2026 | King Orande
LevelBlue SpiderLabs’ Cyber Threat Intelligence Team investigated the ongoing ...
LockBit 5.0 Introduces New Features: ChaCha20 Encryption, Stealthy Installation, and Anti-Analysis to Target Windows, Linux, and ESXi Environments
January 30, 2026 | SpiderLabs Researcher
The prolific LockBit ransomware-as-a-service (RaaS) group shows its dedication ...
19 Shades of LockBit5.0, Inside the Latest Cross-Platform Ransomware’s Newest Leaked Samples: Part 1
January 30, 2026 | Mark Tsipershtein, Evgeny Ananin, Nikita Kazymirskyi
This three-part blog series presents an analysis of 19 samples of a ...
The Hard Lessons Learned by Analyzing Education Sector Cyberattacks
January 26, 2026
In the last quarter of 2025, LevelBlue SpiderLabs used telemetry from the ...
CVE-2009-0556: The 2009 PowerPoint Bug that Refuses to Die
January 23, 2026 | Messiah Dela Cruz
In 2009, LevelBlue Vice President of Security Research Ziv Mador and Cristian ...
Ni8mare on Automation Street: When Workflows Turn Into an Attack Path
January 15, 2026 | Nikita Kazymirskyi
CVE-2026-21858 (Ni8mare) is a maximum-severity vulnerability in self-hosted n8n ...
A 2025 Threat Trends Analysis
December 22, 2025 | Andrea Martinez and Peter Connolly
As 2025 winds down and cruises into the holiday season, it’s a good time to ...
Holiday Fraud 2025: Gift Card Schemes Exploiting Seasonal Shopping
December 19, 2025 | Serhii Melnyk
Children with a vision of a huge payout from Santa Claus are not the only ones ...
A Rising Tide of Threats: The Offshore Energy Industry’s Threat Landscape
December 12, 2025
Key Findings:
Threat Intelligence News from LevelBlue SpiderLabs December 2025
December 12, 2025
LevelBlue SpiderLabs is the threat intelligence unit of LevelBlue and includes ...