SpiderLabs Blog
Explore the latest threats, critical vulnerability disclosures, cutting-edge research, and intelligence from our elite global threat experts.
Crypto Drainers as a Converging Threat: Insights into Emerging Hybrid Attack Ecosystems
April 23, 2026 | Serhii Melnyk, King Orande, Cris Tomboc, Sean Shirley
Stay Informed
Sign up to receive the latest security news and trends straight to your inbox from LevelBlue.
A Closer Look at the Novel and Stealthy KarstoRAT Malware
April 21, 2026 | Chen Aviani
For almost three decades now, threat actors have used remote access trojans ...
Go With the Flow: Abusing OAuth Device Code Flow
April 20, 2026 | Jakub Wiewiorski
In early 2026, phishing attacks are still among the top contributors to the ...
RedSun and the Expanding Risk Window: Why Microsoft Defender Patching Can’t Wait
April 17, 2026
A newly disclosed zero-day vulnerability, dubbed RedSun, is raising fresh ...
Why Attackers Are Bypassing Phishing Emails and Targeting Identity Instead
April 13, 2026 | Jamie Mamroe
One of the fastest growing initial access techniques we are seeing right now is ...
Trojanized CPUID HWMonitor Installer Delivers Fileless .NET Payload via Obfuscated IPv6 Scriptlet
April 10, 2026 | Sean Shirley
Overview Recent reporting has identified a trojanized version of the CPUID ...
Axios NPM Package Supply Chain Compromise Leads to RAT Deployment
April 09, 2026 | Mahadev Joshi and Sho Kishimoto
KEY OBSERVATIONS Malicious Package Versions Identified: Malicious versions of ...
Err-Hiding and Seek: How ErrTraffic v3 Leverages EtherHiding in ClickFix Campaign
April 09, 2026 | King Orande and Cris Tomboc
The LevelBlue SpiderLabs team examined the latest version of ErrTraffic, which ...
Major Supply Chain Compromise in the Popular axios npm Package
April 03, 2026 | Karl Sigler
On March 30, 2026, two malicious versions of the widely used axios HTTP client ...
Using RF Power Levels to Defeat MAC Address Randomization Enabling Passive Device Tracking
March 31, 2026 | Tom Neaves
I came up with a theory (based on science) that it may be possible to passively ...
The Value of Microsoft Security Copilot: SCU Billing and Why Agent Design Matters
March 27, 2026 | David Broggy
Most organizations start by using Microsoft Copilot the way it looks in demos: ...
Azure ServiceBus WebSockets as a C2 Channel
March 24, 2026 | Stuart White
In offensive security, the ability to blend seamlessly with legitimate traffic ...
Tracing a Multi-Vector Malware Campaign: From VBS to Open Infrastructure
March 23, 2026 | Sean Shirley
Recently LevelBlue SpiderLabs initiated an investigation into a multi-stage ...
“Say My Name”: How MioLab is building MacOS Stealer Empire
March 20, 2026 | Mark Tsipershtein and Evgeny Ananin
As Apple computer’s market share continues to grow, threat actors are ...
Fake CAPTCHA Campaign: Inside a Multi-Stage Stealer Assault
March 19, 2026 | Shabtay Barel, Serhii Melnyk, Rodel Mendrez
This report expands LevelBlue’s ongoing investigation into a multi-stage ...
KongTuke: A King Among Threat Groups
March 18, 2026
This blog is the latest in a series that delves into the deep research ...
How LevelBlue OTX and Cybereason XDR Detected a North Korea-Linked Remote IT Worker
March 17, 2026 | Tue Luu
Talk about dodging the insider threat from hell. From August 15 to 25, 2025, ...
Epic Fury Update: Stryker Attack Highlights Handala's Shift from Espionage to Disruption
March 12, 2026 | Arthur Erzberger
On March 11, 2026, the medical technology vendor Stryker disclosed a global ...
Weaponizing Safe Links: Abuse of Multi-Layered URL Rewriting in Phishing Attacks
March 12, 2026 | John Kevin Adriano
In 2024, threat actors were already abusing URL rewriting mechanisms in ...
Beware the ClickFix Trap: REMCOS RAT Hiding in “Helpful” PUAs
March 09, 2026 | Hema Loganathan
Cybereason GSOC has observed a notable increase in infections involving REMCOS ...
Discover and Exploit: Memory Corruption in CUPS (CVE-2025-61915)
March 05, 2026 | Ariel Silver
CVE-2025-61915 is a stack based out-of-bound write bug in CUPS. An unauthorized ...
LevelBlue SpiderLabs Breaks Down the Role of Cyber Operations Taken in the Iran Crisis
March 04, 2026 | Gal Romano
As combat operations that began on February 28 with joint US-Israeli strikes on ...
Operation Epic Fury: From Regional Escalation to Global Cyber Risk
March 03, 2026 | LevelBlue SpiderLabs
In light of escalating geopolitical tensions involving the United States, ...
From Shadow IT to GhostOps: The Rise of Unauthorized AI Agents in the Enterprise
February 24, 2026 | Grant Hutchons
If you have worked in enterprise IT for long enough, you have lived through the ...
Phishing with OAuth Redirect
February 18, 2026 | Federico Cedolini
The LevelBlue SpiderLabs team identified phishing emails in January 2026 that ...
Pwning Malware with Ninjas and Unicorns
February 16, 2026 | Cade Wriglesworth
During a DFIR engagement, LevelBlue was asked to assist with reverse ...
How ClickFix Opens the Door to Stealthy StealC Information Stealer
February 12, 2026 | Rodel Mendrez
This analysis examines a complete attack chain targeting Windows systems ...
Stealerium Unmasked: Inside a Multi-Lure, Multi-Stage Stealer Campaign
February 11, 2026 | Bernard Bautista
In this investigation, we tracked a malware spam campaign that ultimately ...