securelist.com
Actions
Media Outlet details
| Scope | N/A |
|---|---|
| Language | English |
| Country | Russia |
|
Similarweb UVM |
Request pricing |
|
Comscore UVM |
Request pricing |
Recent Articles
Search ArticlesHelloNet campaign — new malicious modules launched through the ViPNet update system
UPD 16.07.2026: Added detection rules and examples using KEDR Expert. UPD 16.07.2026: Added detection of the malicious campaign in network traffic using Kaspersky Anti Targeted Attack (KATA) with the NDR module. UPD 16.07.2026: Updated the list of Indicators of Compromise (IoCs) and TTPs. We discovered a new APT attack using previously unknown tooling, which started at least in May 2026 and remains active at the time of publication.
GoSerpent: a persistent threat evolves with sophisticated data collection and exfiltration
Introduction In February 2026 we discovered a set of malicious activities that have been ongoing since late 2025. These activities involved a RAT module written in Go with proxy capabilities, serving as the main stage of the attack. The attack targeted government and diplomatic entities in Southeast Asia and showed a level of sophistication which caught our attention.
OkoBot: new sophisticated malware framework targets cryptocurrency users
Introduction In January 2026, we identified multiple attacks involving unknown malware that captures the contents of cryptocurrency wallet windows. During the investigation, we reconstructed the complete infection chain, which consisted of four tightly linked stages initiated by the execution of the previously described malicious PowerShell script TookPS.
Threat landscape for industrial automation systems. Q1 2026
All threats The percentage of ICS computers on which malicious objects were blocked continued to decrease, reaching 19.6% in Q1 2026. This is the lowest value in three years, and it is 1.4 times lower than in Q2 2023. Percentage of ICS computers on which malicious objects were blocked, Q2 2023–Q1 2026 Regionally, the percentages ranged from 9.1% in Northern Europe to 27.4% in Africa.
Securing the pipeline: 2026 supply chain threats
Supply chain attacks are no longer a theoretical threat – they have rapidly evolved into a primary weapon against corporate infrastructure. Since mid-2025, the industry has witnessed a massive surge in targeted compromises, spanning from high-profile incidents like the Shai-Hulud worm to sophisticated campaigns leveraging GlassWorm via GitHub, npm, and VS Code.
When checking the URL isn’t enough: a Device Code Phishing attack via a Microsoft website
One of the most common pieces of anti-phishing advice is to double-check the website’s domain name before providing your credentials. Typically, a fraudulent domain stands out to the trained eye, differing from the official URL by at least a few characters.
Armored Likho digging a snake pit: inside the covert BusySnake Stealer campaign
Introduction During our routine threat monitoring, we uncovered a new phishing campaign tied to a previously unknown APT group that we dubbed Armored Likho (also known as Eagle Werewolf based on circumstantial evidence). This targeted campaign focuses heavily on government agencies and the electric power sector. The geographical footprint of these attacks spans Russia, Brazil, and Kazakhstan, establishing the group as a global threat actor.
Missed incidents, persistent threats, and response gaps: Insights from compromise assessment projects
The following analysis presents the key findings from Kaspersky Compromise Assessment engagements performed in 2025. A compromise assessment is an independent, expert-driven service that examines whether a target network has been compromised. The service combines threat intelligence analysis (including darknet sources), tool-aided endpoint scanning, a systematic review of security event logs and network traffic, and, when necessary, an initial incident response and digital forensic investigation.
The SOC Files: ScreenConnect masked as freeware. An inside look at a large-scale campaign
Introduction To access compromised systems, threat actors frequently abuse legitimate remote monitoring tools. At first glance, these utilities rarely raise red flags: they are signed with valid digital certificates, often allowlisted under corporate IT policies, and fully supported by OS vendors. However, they grant attackers the ability to harvest data from target devices, drop malware, and move laterally across the network.
ToddyCat: your hidden email assistant. Part 2
Introduction We continue to share details on the malicious techniques and toolsets used by the ToddyCat APT group. In the first part of this report, we examined the group’s attacks aimed at stealing data from browsers, as well as from local and cloud email services. The methods used in that campaign indicated that ToddyCat was attempting to access corporate correspondence while evading monitoring tools.