Yesterday we published a short write-up about the malicious VS Code extension posing as “Material Icon Theme”. That post covered the discovery, the extension’s release timeline, and the fact that version 5.29.1 shipped with two Rust implants. This follow-up focuses on...
Recently, we investigated a highly sophisticated malware campaign that combines multiple layers of obfuscation, endpoint security tampering, and kernel-level tricks. The operators hide behind repackaged installers for popular tools such as Telegram, WinSCP, Google...
Over the last weeks we’ve been running a new internal artifact-scanning service across several large ecosystems. It’s still growing feature-wise, LLM scoring and a few other bits are being added, but the core pipeline is already pulling huge amounts of stuff every...
Our analysis uncovered a phishing campaign targeting organizations in India, leveraging spear-phishing techniques reminiscent of Operation Sindoor. What makes this activity stand out is the use of a Linux-focused infection method that relies on weaponized .desktop...
Many of our customers value the broad module support and high detection coverage found in our professional-grade products. However, we are also committed to continuously improving our free tools, ensuring that the gap in detection capabilities does not grow too wide....
As part of our ongoing threat hunting efforts, we identified a stealthy Linux backdoor that appears to have gone publicly unnoticed so far. We named it Plague. The implant is built as a malicious PAM (Pluggable Authentication Module), enabling attackers to silently...
Aurora is a lightweight endpoint agent that applies Sigma rules and IOCs directly to Windows system events reconstructed from Event Tracing for Windows (ETW). Unlike traditional logging tools or Sysmon, Aurora subscribes to raw ETW streams and transforms them into...
The recently exploited SharePoint vulnerability chain known as ToolShell (CVE-2025-53770) has shown once again that patching alone isn't enough. Attackers gained unauthenticated remote access to vulnerable on-premises SharePoint servers, planted web shells, and...
We are excited to announce a strategic partnership between Nextron Systems and Threatray AG. This collaboration aims to significantly enhance our existing threat detection capabilities and further improve the precision and sensitivity of our detection signatures....
Antivirus engines and EDRs have their place – no doubt. But what happens when malware simply slips through their nets? What if the malicious file was never executed? What if the incident happened months ago? That’s where THOR comes in. Our compromise assessment...
Abuse of Modular Trust PAM (Pluggable Authentication Modules) is a fundamental part of Linux authentication infrastructure. Its flexibility - designed to support various authentication mechanisms - can be exploited by adversaries. In our analysis, we encountered a...
In this analysis, we will delve into the technical details of Katz Stealer, a credential-stealing malware as a service. We will explore its infection chain and the various techniques it employs to evade detection and exfiltrate sensitive data. We will also discuss...