Stan Ghouls targeting Russia and Uzbekistan with NetSupport RAT
We analyze the recent Stan Ghouls campaign targeting organizations in Russia and Uzbekistan: Java-based loaders, the NetSupport RAT, and a potential interest in IoT.
Spam and phishing in 2025
The report contains statistics on spam and phishing in 2025, outlining the main trends: phishing and scam QR codes, ClickFix attacks, ChatGPT subscription lures and others.
The game is over: when “free” comes at too high a price. What we know about RenEngine
We disclose new details about campaigns involving RenEngine and HijackLoader malware. Since March 2025, attackers have been distributing the Lumma stealer in a complex chain of infections, and in February 2026, ongoing attacks using ACR Stealer became known.
Why Smart People Fall For Phishing Attacks
Why do successful phishing attacks target our psychology rather than just our software? Discover Unit 42’s latest insights on defeating social engineering and securing your digital life. The post Why Smart People Fall For Phishing Attacks appeared first on Unit 42.
The Shadow Campaigns: Uncovering Global Espionage
In 2025 a threat group compromised government and critical infrastructure in 37 countries, with reconnaissance in 155. The post The Shadow Campaigns: Uncovering Global Espionage appeared first on Unit 42.
Novel Technique to Detect Cloud Threat Actor Operations
We introduce a novel method that maps cloud alert trends to MITRE ATT&CK techniques. The patterns created could identify threat actors by behavior. The post Novel Technique to Detect Cloud Threat Actor Operations appeared first on Unit 42.
A Peek Into Muddled Libra’s Operational Playbook
Explore the tools Unit 42 found on a Muddled Libra rogue host. Learn how they target domain controllers and use search engines to aid their attacks. The post A Peek Into Muddled Libra’s Operational Playbook appeared first on Unit 42.
Nation-State Actors Exploit Notepad++ Supply Chain
Unit 42 reveals new infrastructure associated with the Notepad++ attack. This expands understanding of threat actor operations and malware delivery. The post Nation-State Actors Exploit Notepad++ Supply Chain appeared first on Unit 42.
No Place Like Home Network: Disrupting the World's Largest Residential Proxy Network
Introduction This week Google and partners took action to disrupt what we believe is one of the largest residential proxy networks in the world, the IPIDEA proxy network. IPIDEA’s proxy infrastructure is a little-known component of the digital ecosystem leveraged by a wide array
Vishing for Access: Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft
Introduction Mandiant has identified an expansion in threat activity that uses tactics, techniques, and procedures (TTPs) consistent with prior ShinyHunters-branded extortion operations. These operations primarily leverage sophisticated voice phishing (vishing) and victim-brande
Guidance from the Frontlines: Proactive Defense Against ShinyHunters-Branded Data Theft Targeting SaaS
Introduction Mandiant is tracking a significant expansion and escalation in the operations of threat clusters associated with ShinyHunters-branded extortion. As detailed in our companion report, 'Vishing for Access: Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft',
Please Don’t Feed the Scattered Lapsus ShinyHunters
A prolific data ransom gang that calls itself Scattered Lapsus ShinyHunters (SLSH) has a distinctive playbook when it seeks to extort payment from victim firms: Harassing, threatening and even swatting executives and their families, all while notifying journalists and regulators…