Verticals Targeted: None specified Regions Targeted: Russia Related Families: None Executive Summary ClayRAT, a sophisticated Android spyware campaign targeting Russian users, leverages Telegram channels and phishing sites to distribute malicious APKs disguised as popular apps. Its rapid evolution, extensive surveillance capabilities, and self-propagation via SMS make it a significant threat to mobile security.| PolySwarm Main Blog
Verticals Targeted: Manufacturing, Government, Healthcare, Technology, Retail, Education, Financial, Construction Regions Targeted: India, US, Europe, Brazil, Canada Related Families: None Executive Summary The EvilAI malware campaign leverages AI-generated code and deceptive applications with valid digital signatures to infiltrate systems globally, targeting critical industries like manufacturing, government, and healthcare. By mimicking legitimate software and employing sophisticated obfusc...| PolySwarm Main Blog
Verticals Targeted: Not specified Regions Targeted: Not specified Related Families: LockBit Executive Summary LockBit 5.0, the latest evolution of the notorious ransomware, targets Windows, Linux, and VMware ESXi systems with advanced obfuscation, DLL reflection, and anti-analysis techniques. Its cross-platform capabilities and enhanced encryption methods make it a formidable threat to enterprise networks.| PolySwarm Main Blog
Verticals Targeted: Real Estate, Insurance, Energy, Manufacturing, Legal Services, Healthcare, Construction, Retail, Agriculture, Finance, Business Services, Transportation, Software, Hospitality, Government, Telecommunications Regions Targeted: US, Europe, South America, Australia, Canada, India, Africa Executive Summary A surge in Akira ransomware attacks since July 2025 exploits SonicWall VPNs via CVE-2024-40766, enabling rapid credential-based intrusions with dwell times as short as 55 mi...| PolySwarm Main Blog
The BRICKSTORM backdoor, attributed to the suspected China-nexus threat cluster UNC5221, has been actively targeting U.S. organizations in the legal, SaaS, BPO, and technology sectors since March 2025.| blog.polyswarm.io
Verticals Targeted: Defense Manufacturing, Telecommunications, Aerospace Regions Targeted: Western Europe, Middle East Related Families: MiniJunk, MiniBrowse Executive Summary Nimbus Manticore, an Iranian APT group, has intensified its cyberespionage campaign targeting defense, telecommunications, and aerospace sectors in Western Europe and the Middle East, deploying advanced malware such as MiniJunk and MiniBrowse via sophisticated spear-phishing and DLL sideloading techniques. The group’s...| PolySwarm Main Blog
Verticals Targeted: Not specified Regions Targeted: None Related Families: Petya, NotPetya, NotPetyaAgain, RedPetyaOpenSSL Executive Summary HybridPetya is a ransomware variant resembling Petya/NotPetya, capable of compromising UEFI-based systems and exploiting CVE-2024-7344 to bypass UEFI Secure Boot on outdated systems. While not observed in active campaigns, its advanced capabilities warrant close monitoring by security teams.| PolySwarm Main Blog
Verticals Targeted: Financial Regions Targeted: Czech Republic, Slovakia Related Families: NFSkate Executive Summary RatOn is a sophisticated Android banking trojan that integrates NFC relay capabilities with remote access and automated transfer functionalities, marking a notable evolution in mobile fraud tactics.| PolySwarm Main Blog
TAG-150 is a sophisticated threat actor that has been deploying CastleLoader, CastleBot, and the newly identified CastleRAT since March 2025, leveraging a multi-tiered infrastructure and advanced phishing tactics.| blog.polyswarm.io
Verticals Targeted: Not specified Regions Targeted: NATO countries Related Families: None| PolySwarm Main Blog
Hook Version 3 is an advanced Android banking trojan with ransomware, phishing, and lockscreen bypass capabilities, posing significant risks to financial institutions and enterprises. Its distribution via phishing websites and GitHub amplifies its reach, necessitating robust mobile threat defenses.| blog.polyswarm.io
Researchers have uncovered Plague, a previously undetected Linux backdoor masquerading as a malicious Pluggable Authentication Module (PAM) to enable persistent SSH access and authentication bypass.| blog.polyswarm.io
DCHSpy is an Android surveillanceware linked to Iran’s Static Kitten group, targeting Iranian users with fake VPN and Starlink apps to steal sensitive data amid regional conflict.| blog.polyswarm.io
