Labs Archive

Advanced Persistent Threat

Ghost in the Zip | New PXA Stealer and Its Telegram-Powered Ecosystem

Jim Walter, Alex Delamotte, Beazley Security’s Francisco Donoso, Sam Mayers, Tell Hause & Bobby Venal / August 4, 2025

PXA Stealer uses advanced evasion and Telegram C2 to steal global victim data, fueling a thriving cybercrime market.

Advanced Persistent Threat

China’s Covert Capabilities | Silk Spun From Hafnium

Dakota Cary / July 30, 2025

China-linked hackers used patented spyware tech from front companies tied to Hafnium, exposing gaps in cyber threat attribution.

25 MKTG Comms Blog 022 Generic LABS Blog Images 07

Advanced Persistent Threat

macOS NimDoor | DPRK Threat Actors Target Web3 and Crypto Platforms with Nim-Based Malware

Phil Stokes & Raffaele Sabato / July 2, 2025

NimDoor shows how threat actors are continuing to explore cross-platform languages that introduce new levels of complexity for analysts.

Advanced Persistent Threat

Follow the Smoke | China-nexus Threat Actors Hammer At the Doors of Top Tier Targets

Aleksandar Milenkoski & Tom Hegel / June 9, 2025

This report uncovers a set of related threat clusters linked to PurpleHaze and ShadowPad operators targeting organizations, including cybersecurity vendors.

Security Research

FreeDrain Unmasked | Uncovering an Industrial-Scale Crypto Theft Network

Tom Hegel, Kenneth Kinion (Validin) & Sreekar Madabushi (Validin) / May 8, 2025

FreeDrain is a modern, scalable phishing operation exploiting weaknesses in free publishing platforms to steal cryptocurrency on a global scale.

Adversary

Top Tier Target | What It Takes to Defend a Cybersecurity Company from Today’s Adversaries

Tom Hegel, Aleksandar Milenkoski & Jim Walter / April 28, 2025

This report highlights a rarely-discussed but crucially important attack surface: security vendors themselves

Crimeware

AkiraBot | AI-Powered Bot Bypasses CAPTCHAs, Spams Websites At Scale

Alex Delamotte & Jim Walter / April 9, 2025

AkiraBot uses OpenAI to generate custom outreach messages to spam chat widgets and website contact forms at scale.

LABScon

LABScon24 Replay | A Walking Red Flag (With Yellow Stars)

LABScon / March 31, 2025

Dakota Cary and Eugenio Benincasa explore China's CTF ecosystem, highlighting competitions held by the Ministry of State Security and the PLA.

LABScon

LABScon24 Replay | Kryptina RaaS: From Unsellable Cast-off to Enterprise Ransomware

LABScon / March 26, 2025

Jim Walter reveals how a recent leak provided insight into how Kryptina RaaS has been adapted for use in enterprise attacks.

LABScon

LABScon24 Replay | Resilience and Protection in the Windows Ecosystem

LABScon / March 12, 2025

Kim Zetter interviews David Weston on topics such as the fallout from the CrowdStrike outage, Windows Recall and improving Microsoft security.

Smart Contract Scams | Ethereum Drainers Pose as Trading Bots to Steal Crypto

Ghost in the Zip | New PXA Stealer and Its Telegram-Powered Ecosystem

China’s Covert Capabilities | Silk Spun From Hafnium

macOS NimDoor | DPRK Threat Actors Target Web3 and Crypto Platforms with Nim-Based Malware

Follow the Smoke | China-nexus Threat Actors Hammer At the Doors of Top Tier Targets

FreeDrain Unmasked | Uncovering an Industrial-Scale Crypto Theft Network

Top Tier Target | What It Takes to Defend a Cybersecurity Company from Today’s Adversaries

AkiraBot | AI-Powered Bot Bypasses CAPTCHAs, Spams Websites At Scale

LABScon24 Replay | A Walking Red Flag (With Yellow Stars)

LABScon24 Replay | Kryptina RaaS: From Unsellable Cast-off to Enterprise Ransomware

LABScon24 Replay | Resilience and Protection in the Windows Ecosystem