Malware Analysis

Ukraine’s Computer Emergency Response Team (CERT-UA) has revealed details of a series of new cyberattacks targeting its defense forces and state institutions. These attacks, which took place between October and December 2025, involve various intrusion techniques and several malware families, including one known as PLUGGYAPE. PLUGGYAPE attacks attributed to Void Blizzard Among the most notable attacks are those distributing the PLUGGYAPE malware, attributed with “medium confidence” to the Russian hacking group Void Blizzard (also known as Laundry Bear or UAC-0190), active since at least April 2024. ...

What are TLS Callbacks? Thread Local Storage (TLS) is a Windows operating system mechanism that allows each thread in a process to have its own copy of specific variables. To support this, Windows PE (Portable Executable) executable files contain a TLS directory (IMAGE_TLS_DIRECTORY). This directory not only describes where the TLS data is stored and its size, but also includes a list of callback functions. TLS callbacks are an execution mechanism that allows code to run automatically when a process or thread starts, even before the program’s normal entry point (main or WinMain for EXEs, or DllMain for DLLs) is reached. ...

Recent research has revealed the existence of four distinct threat activity groups that are leveraging a malware loader known as CastleLoader. This evidence reinforces previous assessment that the tool is offered to other cybercriminals under a malware-as-a-service (MaaS) model. The threat actor behind CastleLoader has been identified by Recorded Future’s Insikt Group as GrayBravo, previously tracked as TAG-150. GrayBravo’s Profile GrayBravo is a threat actor characterized by: Rapid development cycles. Technical sophistication. Responsiveness to public reports. An expansive and constantly evolving infrastructure. Tools and Frameworks GrayBravo’s toolset includes several key pieces of malware: ...

A joint investigation by Amnesty International, Haaretz, Inside Story and Inside IT has revealed that the human rights lawyer from Balochistan province, Pakistan, was the target of Intellexa’s Predator spyware. This incident marks the first time that a member of civil society in Pakistan has been targeted by this surveillance tool. The attack was carried out using a suspicious link sent by WhatsApp, which Amnesty International identified as an “attempted Predator attack” based on its technical behavior and characteristics. ...

Phishing kits typically have distinctive signatures in their delivery methods and infrastructure, making attribution easier. However, analysts have recently observed an overlap between two phishing kits such as Salty2FA and Tycoon2FA, marking a significant change that complicates detection. ANY.RUN observed a sudden drop in Salty2FA activity, followed by the appearance of Tycoon2FA indicators within Salty attack chains. Finally, unique payloads were detected that combined code from both frameworks. This convergence weakens kit-specific detection rules and gives threat actors more leeway to evade early detection. ...