Nextron Systems supports teams participating in Locked Shields, one of the most advanced and large-scale live-fire cyber defence exercises. Organised by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), the exercise brings together multinational blue...
AIX is still running critical workloads in finance, manufacturing, and other industries that value stability over frequent platform churn. The uncomfortable part is that many security programs treat these systems as “special cases” - meaning they often end up outside...
Executive Summary This report analyzes RegPhantom, a stealthy Windows kernel rootkit designed to give attackers code execution in kernel mode while leaving very little visible evidence behind. The malware abuses the Windows registry as a covert trigger mechanism: a...
With ASGARD Analysis Cockpit 4.4, we deliver a release that clearly focuses on more efficient analysis, more precise searches, and better prioritization of relevant events. At its core, this version introduces a powerful new query language, complemented by targeted...
Over the past few months, we have analyzed many infection chains that all start in a very similar way: malicious advertisements placed on legitimate websites. These ads lure users into downloading "converter" tools that promise to convert images or documents (for...
In our previous publication, we detailed our internal artifact-scanning service that continuously monitors packages from multiple sources to detect malicious packages and supply chain attacks. While this automated scanning capability has proven invaluable for threat...
Over the past days, many of our customers have seen reports about a critical remote code execution vulnerability in React Server Components (CVE-2025-55182) and the related Next.js vulnerability (CVE-2025-66478). These issues have received a lot of attention and have...
Yesterday we published a short write-up about the malicious VS Code extension posing as “Material Icon Theme”. That post covered the discovery, the extension’s release timeline, and the fact that version 5.29.1 shipped with two Rust implants. This follow-up focuses on...
Recently, we investigated a highly sophisticated malware campaign that combines multiple layers of obfuscation, endpoint security tampering, and kernel-level tricks. The operators hide behind repackaged installers for popular tools such as Telegram, WinSCP, Google...
Over the last weeks we’ve been running a new internal artifact-scanning service across several large ecosystems. It’s still growing feature-wise, LLM scoring and a few other bits are being added, but the core pipeline is already pulling huge amounts of stuff every...
As someone who has spent many years researching attacks and supporting incident response teams, I’ve seen one question come up again and again: How do we return to a verified clean state after an intrusion? In every ransomware case, in every targeted espionage...
After many years of successful collaboration, Nextron Systems and BETTA Security are pleased to announce a deepening of their partnership on the occasion of it-sa 2025. Nextron Systems, a software group backed by private equity investor BID Equity, has acquired a...
As a trusted provider of advanced compromise assessment tools, Nextron Systems will be present at it-sa 2025, Europe’s leading trade fair for IT security. Join us in Hall 7 at Stand 7-353 to learn more about our portfolio of forensic cybersecurity solutions developed...
Citrix NetScaler appliances are under active attack through CVE-2025-7775 and related vulnerabilities. Even fully patched systems may already be compromised. This post explains how Nextron’s THOR provides agentless compromise detection with YARA and IOC scans — a proven method for identifying webshells, backdoors, and post-exploit artifacts.
Our analysis uncovered a phishing campaign targeting organizations in India, leveraging spear-phishing techniques reminiscent of Operation Sindoor. What makes this activity stand out is the use of a Linux-focused infection method that relies on weaponized .desktop...