Labs Archive

Prompts as Code & Embedded Keys | The Hunt for LLM-Enabled Malware

Alex Delamotte, Vitaly Kamluk & Gabriel Bernadett-Shapiro / September 19, 2025

LLM-enabled malware poses new challenges for detection. SentinelLABS presents groundbreaking research on how to hunt for this new class of threats.

Adversary

Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms

Aleksandar Milenkoski, Sreekar Madabushi (Validin) & Kenneth Kinion (Validin) / September 4, 2025

DPRK-aligned threat actors abuse CTI platforms to detect infrastructure exposure and scout for new assets.

Crimeware

Smart Contract Scams | Ethereum Drainers Pose as Trading Bots to Steal Crypto

Alex Delamotte / August 5, 2025

Crypto scammers use fake YouTube bots, AI videos, and obfuscated smart contracts to steal $900K+, targeting unwary traders.

Advanced Persistent Threat

Ghost in the Zip | New PXA Stealer and Its Telegram-Powered Ecosystem

Jim Walter, Alex Delamotte, Beazley Security’s Francisco Donoso, Sam Mayers, Tell Hause & Bobby Venal / August 4, 2025

PXA Stealer uses advanced evasion and Telegram C2 to steal global victim data, fueling a thriving cybercrime market.

Advanced Persistent Threat

China’s Covert Capabilities | Silk Spun From Hafnium

Dakota Cary / July 30, 2025

China-linked hackers used patented spyware tech from front companies tied to Hafnium, exposing gaps in cyber threat attribution.

25 MKTG Comms Blog 022 Generic LABS Blog Images 07

Advanced Persistent Threat

macOS NimDoor | DPRK Threat Actors Target Web3 and Crypto Platforms with Nim-Based Malware

Phil Stokes & Raffaele Sabato / July 2, 2025

NimDoor shows how threat actors are continuing to explore cross-platform languages that introduce new levels of complexity for analysts.

Advanced Persistent Threat

Follow the Smoke | China-nexus Threat Actors Hammer At the Doors of Top Tier Targets

Aleksandar Milenkoski & Tom Hegel / June 9, 2025

This report uncovers a set of related threat clusters linked to PurpleHaze and ShadowPad operators targeting organizations, including cybersecurity vendors.

Security Research

FreeDrain Unmasked | Uncovering an Industrial-Scale Crypto Theft Network

Tom Hegel, Kenneth Kinion (Validin) & Sreekar Madabushi (Validin) / May 8, 2025

FreeDrain is a modern, scalable phishing operation exploiting weaknesses in free publishing platforms to steal cryptocurrency on a global scale.

Adversary

Top Tier Target | What It Takes to Defend a Cybersecurity Company from Today’s Adversaries

Tom Hegel, Aleksandar Milenkoski & Jim Walter / April 28, 2025

This report highlights a rarely-discussed but crucially important attack surface: security vendors themselves

Crimeware

AkiraBot | AI-Powered Bot Bypasses CAPTCHAs, Spams Websites At Scale

Alex Delamotte & Jim Walter / April 9, 2025

AkiraBot uses OpenAI to generate custom outreach messages to spam chat widgets and website contact forms at scale.

LABScon25 Replay | Auto-Poking The Bear: Analytical Tradecraft In The AI Age

Prompts as Code & Embedded Keys | The Hunt for LLM-Enabled Malware

Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms

Smart Contract Scams | Ethereum Drainers Pose as Trading Bots to Steal Crypto

Ghost in the Zip | New PXA Stealer and Its Telegram-Powered Ecosystem

China’s Covert Capabilities | Silk Spun From Hafnium

macOS NimDoor | DPRK Threat Actors Target Web3 and Crypto Platforms with Nim-Based Malware

Follow the Smoke | China-nexus Threat Actors Hammer At the Doors of Top Tier Targets

FreeDrain Unmasked | Uncovering an Industrial-Scale Crypto Theft Network

Top Tier Target | What It Takes to Defend a Cybersecurity Company from Today’s Adversaries

AkiraBot | AI-Powered Bot Bypasses CAPTCHAs, Spams Websites At Scale