CYFIRMA Research

CYFIRMA
  • 0.0 (0)
  • TECH NEWS
  • UPDATED WEEKLY

Cyber defenders, listen up! The CYFIRMA Research podcast has some juicy intel on the latest cyber threats that are lurking in the shadows. Tune in to this security briefing to stay on top of emerging threats and be ready to tackle digital risk like never before.

  1. 16H AGO

    CYFIRMA Research- APT36: Multi-Vector Execution Malware Campaign Targeting Indian Government Entities

    APT36 Multi-Vector Execution Malware Campaign Targeting Indian Government Entities Researchers at CYFIRMA have identified and analyzed a sophisticated malware campaign attributed to APT36 targeting Indian government entities. The campaign demonstrates a structured, multi-stage infection chain designed for stealth, persistence, and long-term remote access. This campaign reflects a targeted espionage operation leveraging multi-layered execution paths, macro-based staging, and robust RAT functionality to maintain long-term access to compromised systems. Link to the Research Report: APT36 : Multi-Vector Execution Malware Campaign Targeting Indian Government Entities - CYFIRMA #CYFIRMA #ThreatIntelligence #APT36 #CyberSecurity #MalwareAnalysis #RA #CYFIRMAresearch #ExternalThreatLandscapeManagement #ETLM https://www.cyfirma.com/

    6 min

  2. 1D AGO

    CYFIRMA Research- Telegram as the New Operational Layer of Cyber Threat Activity

    The Telegram ecosystem. Ransomware groups, Initial Access Brokers, malware operators, and leak channels are converging on a single platform for coordination, recruitment, validation, and amplification. This isn’t a migration from darknet forums — it’s an operational upgrade.  Link to the Research Report: Telegram as the New Operational Layer of Cyber Threat Activity - CYFIRMA #CyberSecurity #ThreatIntelligence #Ransomware #OSINT #CyberCrime #Telegram #CYFIRMA #CYFIRMAresearch #ExternalTreatLandscapeManagement #ETLM https://www.cyfirma.com/

    10 min

  3. 2D AGO

    CYFIRMA Research- CharlieKirk Grabber: A Python Based infostealer

    Emerging Threat Model: Python-Based Credential Stealer (CharlieKirk Grabber): Recent analysis of a Python-based information stealer highlights the continued growth of modular, builder-driven malware targeting Windows environments. The sample demonstrates how commodity stealers are evolving to combine credential harvesting, system profiling, and cloud-based exfiltration using legitimate services and scripting frameworks. Key observations: • Browser credentials and cookie extraction from Chromium and Gecko-based browsers • Discord token and gaming session harvesting (Steam, Minecraft) • System profiling including OS details, public IP intelligence, and Wi-Fi credentials • Data staging and compression prior to exfiltration via cloud file-sharing services • Configurable builder allowing operators to toggle modules and C2 channels (Discord/Telegram) • Conditional persistence via scheduled task creation and Defender exclusion attempts Why this matters: Modern commodity stealers increasingly rely on scripting languages such as Python and trusted platforms like Discord, Telegram, and public file-hosting services to blend malicious activity into normal encrypted traffic. Modular builder frameworks lower the barrier to entry for threat actors and enable rapid capability expansion across campaigns. Link to the Research Report: CharlieKirk GRABBER : A PYTHON-BASED INFOSTEALER - CYFIRMA #ThreatIntelligence #MalwareAnalysis #CyberSecurity #BlueTeam #DetectionEngineering #OSINT #InfoSec #ExternalThreatLandscapeManagement #ETLM #CYFIRMA #CYFIRMAresearch https://www.cyfirma.com/

    9 min

  4. 6D AGO

    CYFIRMA Research- Tracking Ransomware – January 2026

    Stay ahead with CYFIRMA’s January 2026 Ransomware Threat Report. January 2026 opened with sustained high ransomware activity and sharp operational volatility across major groups. Qilin remained one of the most active actors despite a post-surge decline, while Cl0p executed a dramatic rebound after a December pause, highlighting how quickly campaigns can reactivate at scale. Thegentlemen and Sinobi recorded rapid growth, reinforcing the fluid, affiliate-driven nature of the ecosystem.  Ransomware operations continued shifting toward access-driven and psychology-led extortion, with browser-mediated user interaction, long-lived loaders, and silent data-theft models increasingly replacing exploit-centric attacks. The United States remained the primary global target, followed by Canada, the UK, and Germany, with sustained expansion across Asia-Pacific and the Middle East. Professional services, manufacturing, and information technology were the most impacted sectors, reflecting attackers’ focus on high-leverage, data-rich environments. Link to the Research Report: TRACKING RANSOMWARE : JAN 2026 - CYFIRMA #CyberSecurity #Ransomware #ThreatIntel #ETLM #CYFIRMA #Qilin #Clop  #Sinobi #Thegentlemen #DataExtortion https://www.cyfirma.com/

    3 min

  5. MAR 12

    CYFIRMA Research- LTX Stealer: Analysis of a Node.js–Based Credential Stealer

    Malware Spotlight: LTX Stealer  CYFIRMA researchers uncovered a sophisticated Windows info-stealer hidden in a legit Inno Setup installer. Key takeaways:  🔹 Node.js stealer with Bytenode bytecode obfuscation  🔹 Targets Chromium browsers & crypto wallets  🔹 Persists in hidden/system folders under Program Files(x86)   🔹 Uses Supabase for operator auth + Cloudflare to mask backend  🔹 Commercial-grade Malware-as-a-Service (MaaS) Modern attackers are using trusted installers + runtime decryption to evade detection. Stay vigilant!  Link to the Research Report: LTX Stealer : Analysis of a Node.js–Based Credential Stealer - CYFIRMA #CyberSecurity #MalwareAnalysis #Infostealer #NodeJS #ThreatIntel #MaaS  #CYFIRMA #CYFIRMAresearch #ExternalThreatLandscapeManagement #ETLM https://www.cyfirma.com/

    9 min

  6. MAR 9

    CYFIRMA Research- Re-Emerging Telegram Phishing Campaign Targeting User Authorization Prompts

    CYFIRMA has identified an active Telegram phishing campaign that abuses Telegram’s legitimate login and in-app authorization workflows to fully compromise user accounts without malware or exploits. By leveraging QR codes and manual login flows tied to attacker-controlled Telegram API credentials, victims are tricked into approving genuine authorization prompts inside the Telegram app under false security pretexts. This abuse-of-function approach increases victim trust, enables large-scale global targeting through rapidly rotating domains, and reflects a continued shift toward leveraging legitimate platform features as a primary account takeover vector. Stay vigilant. Authentication prompts are only safe when you initiate the action. Link to the Research Report: Re-Emerging Telegram Phishing Campaign Targeting User Authorization Prompts - CYFIRMA #ThreatIntelligence #Telegram #Phishing #AccountTakeover #CyberSecurity  #SocialEngineering #CYFIRMA #CYFIRMAresearch #ETLM  #ExternalThreatLandscapeManagement https://www.cyfirma.com/

    3 min

  7. MAR 5

    CYFIRMA Research: CVE-2026-23760 – SmarterTools SmarterMail Authentication Bypass Vulnerability

    Critical Alert: CVE-2026-23760 – SmarterMail Pre-Auth Bypass Leading to Full System Compromise Organizations running SmarterTools SmarterMail email servers—widely deployed across SMBs, MSPs, educational institutions, and healthcare environments—must take immediate action. This actively exploited authentication bypass vulnerability allows unauthenticated attackers to reset system administrator passwords and gain complete control over email infrastructure without any credentials. ACTIVE EXPLOITATION CONFIRMED – Attacks began just 2 DAYS after patch release ~10000+ vulnerable instances identified globally Added to CISA's Known Exploited Vulnerabilities (KEV) catalog CVSS 9.8 Critical – Direct path to SYSTEM/root-level RCE Link to the Research Report: CVE-2026-23760 – SmarterTools SmarterMail Authentication Bypass Vulnerability - CYFIRMA #CyberSecurity #CVE202623760 #SmarterMail #AuthenticationBypass #ThreatIntel #ExternalThreatLandscapeManagement #VulnerabilityAlert #EmailSecurity #CriticalInfrastructure #CYFIRMA #CISA_KEV #RCE #PreAuthExploit https://www.cyfirma.com/

    8 min

  8. MAR 3

    CYFIRMA Research- PlayCloak: A Play Store–Distributed Travel Utility Covertly Operating as a Financial Fraud and Cybercrime Platform

    Threat Research Alert | Android Loan Scam Our analysis uncovered an Android application, Hicas, distributed via the Google Play Store and marketed as a Smart Travel Packing Companion, which covertly operates as a region-targeted fraudulent loan platform. Key Findings: • Play Store app masquerading as a travel utility • Region-based cloaking activates loan flow on IN devices • Remote WebView delivers full lending workflow • Runtime behavior controlled via external JSON config • No app update required to alter logic or UI • Heavy obfuscation + XOR-based string decryption • Firebase FCM used for remote triggers/content • Excessive perms incl. contacts, camera, notifications • Explicit contact enumeration logic observed • Coercive repayment UI (urgency banners, coupons) • Offshore infra consistent with CN-linked loan ops • 500,000+ downloads, high potential user impact Link to the Research Report: PlayCloak: A Play Store–Distributed Travel Utility Covertly Operating as a Financial Fraud and Cybercrime Platform - CYFIRMA #CyberSecurity #MobileSecurity #AndroidMalware #LoanScam #PlayStore  #ThreatIntelligence #SeedSnatcher #ThreatAlert #CYFIRMA #CYFIRMAresearch https://www.cyfirma.com/

    5 min
See All (288)

About

Cyber defenders, listen up! The CYFIRMA Research podcast has some juicy intel on the latest cyber threats that are lurking in the shadows. Tune in to this security briefing to stay on top of emerging threats and be ready to tackle digital risk like never before.

Information

  • Creator
    CYFIRMA
  • Years Active
    2023 - 2026
  • Episodes
    288
  • Rating
    Clean
  • Copyright
    © 2026 CYFIRMA Research
  • Show Website
    CYFIRMA Research