SpiderLabs Blog
Explore the latest threats, critical vulnerability disclosures, cutting-edge research, and intelligence from our elite global threat experts.
The Demon Arrives Later: A Havoc Stager Hides Behind Microsoft Defender DLP
June 03, 2026 | Jose Martin
Stay Informed
Sign up to receive the latest security news and trends straight to your inbox from LevelBlue.
Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign
May 28, 2026 | Maor Gabay
We recently observed a multi-stage macOS intrusion campaign conducted by the ...
Two Approaches for Offensive Testing of AI Systems: Architecture-led AI Application Penetration Test and Threat-led AI Red Team Assessment
May 27, 2026 | Sarath Nair
Artificial intelligence (AI) is changing the shape of the application attack ...
From WinRE to SYSTEM: Hunting CVE-2026-45585 Exploitation and the MiniPlasma Attack Chain
May 22, 2026 | Serhii Melnyk
Since April 2026, LevelBlue SpiderLabs’ Cyber Threat Intelligence team has ...
YellowKey and GreenPlasma: Two New Windows Zero-Days Unveiled
May 19, 2026 | James Ballantyne
Two novel Windows zero-day vulnerabilities dubbed YellowKey, which bypasses ...
A Closer Look at The Gentlemen’s Alleged Leak
May 18, 2026 | Arthur Erzberger
Executive Summary The Gentlemen is an active ransomware and extortion operation ...
Threat Analysis: Backdoored Electron Apps Evading Defenses
May 08, 2026 | Michael Morose
This Threat Analysis report is part of the “Purple Team Series” in which the ...
Unmasking a Multi-Stage Loader: AutoIt Abuse Leading to Vidar Stealer Command-and-Control Communication
May 07, 2026 | Mahadev Joshi
LevelBlue’s Security Services issues Threat Analysis reports to inform on ...
LevelBlue TTP Briefing Q1 2026: Trust Abuse Exposes Weaknesses
May 05, 2026
Explore the latest trends, techniques, and procedures (TTPs) our incident ...
Inside Vect Ransomware-as-a-Service
April 30, 2026 | SpiderLabs Researcher
Vect ransomware, a new group that emerged in January 2026, has recently begun ...
Hacking Hotels via Smart Stationary Bikes: How Unsecured Gym Equipment Can Lead to RCE
April 29, 2026 | John Lopez
Internet of Things (IoT) systems in hospitality environments are often ...
Crypto Drainers as a Converging Threat: Insights into Emerging Hybrid Attack Ecosystems
April 23, 2026 | Serhii Melnyk, King Orande, Cris Tomboc, Sean Shirley
LevelBlue SpiderLabs’ Cyber Threat Intelligence Team continues to observe a ...
A Closer Look at the Novel and Stealthy KarstoRAT Malware
April 21, 2026 | Chen Aviani
For almost three decades now, threat actors have used remote access trojans ...
Go With the Flow: Abusing OAuth Device Code Flow
April 20, 2026 | Jakub Wiewiorski
In early 2026, phishing attacks are still among the top contributors to the ...
RedSun and the Expanding Risk Window: Why Microsoft Defender Patching Can’t Wait
April 17, 2026
A newly disclosed zero-day vulnerability, dubbed RedSun, is raising fresh ...
Why Attackers Are Bypassing Phishing Emails and Targeting Identity Instead
April 13, 2026 | Jamie Mamroe
One of the fastest growing initial access techniques we are seeing right now is ...
Trojanized CPUID HWMonitor Installer Delivers Fileless .NET Payload via Obfuscated IPv6 Scriptlet
April 10, 2026 | Sean Shirley
Overview Recent reporting has identified a trojanized version of the CPUID ...
Axios NPM Package Supply Chain Compromise Leads to RAT Deployment
April 09, 2026 | Mahadev Joshi and Sho Kishimoto
KEY OBSERVATIONS Malicious Package Versions Identified: Malicious versions of ...
Err-Hiding and Seek: How ErrTraffic v3 Leverages EtherHiding in ClickFix Campaign
April 09, 2026 | King Orande and Cris Tomboc
The LevelBlue SpiderLabs team examined the latest version of ErrTraffic, which ...
Major Supply Chain Compromise in the Popular axios npm Package
April 03, 2026 | Karl Sigler
On March 30, 2026, two malicious versions of the widely used axios HTTP client ...
Using RF Power Levels to Defeat MAC Address Randomization Enabling Passive Device Tracking
March 31, 2026 | Tom Neaves
I came up with a theory (based on science) that it may be possible to passively ...
The Value of Microsoft Security Copilot: SCU Billing and Why Agent Design Matters
March 27, 2026 | David Broggy
Most organizations start by using Microsoft Copilot the way it looks in demos: ...
Azure ServiceBus WebSockets as a C2 Channel
March 24, 2026 | Stuart White
In offensive security, the ability to blend seamlessly with legitimate traffic ...
Tracing a Multi-Vector Malware Campaign: From VBS to Open Infrastructure
March 23, 2026 | Sean Shirley
Recently LevelBlue SpiderLabs initiated an investigation into a multi-stage ...
“Say My Name”: How MioLab is building MacOS Stealer Empire
March 20, 2026 | Mark Tsipershtein and Evgeny Ananin
As Apple computer’s market share continues to grow, threat actors are ...
Fake CAPTCHA Campaign: Inside a Multi-Stage Stealer Assault
March 19, 2026 | Shabtay Barel, Serhii Melnyk, Rodel Mendrez
This report expands LevelBlue’s ongoing investigation into a multi-stage ...
KongTuke: A King Among Threat Groups
March 18, 2026
This blog is the latest in a series that delves into the deep research ...
How LevelBlue OTX and Cybereason XDR Detected a North Korea-Linked Remote IT Worker
March 17, 2026 | Tue Luu
Talk about dodging the insider threat from hell. From August 15 to 25, 2025, ...