Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

The Securonix Threat Research team has analyzed a multi-stage Windows malware campaign tracked as SHADOW#REACTOR. The infection chain follows a tightly orchestrated execution path: an obfuscated VBS launcher executed via wscript.exe invokes a PowerShell downloader, which retrieves fragmented, text-based payloads from a remote host. These fragments are reconstructed into encoded loaders, decoded in memory by a .NET Reactor–protected assembly, and used to fetch and apply a remote Remcos configuration.

The Shai-Hulud npm supply chain incident was a wake-up call for the industry. The attack involved malicious packages containing hidden exfiltration scripts that targeted developers’ machines and CI environments. At Snyk, we watched this incident unfold in real-time, observing how quickly attackers can pivot from one compromised credential to a full-scale ecosystem infection.

SantaStealer spreads via Telegram and underground forums, the BlackForce phishing kit targets major brands, and Ink Dragon launches new attacks.

Shai Hulud didn’t invent a new supply chain weakness. It took advantage of something most teams already struggle with: long-lived credentials sitting on developer laptops and CI runners. Once it landed in a workstation or pipeline, it went hunting for secrets, then moved into GitHub, npm, and cloud environments. The damage is huge.

At Fal.Con 2025, CrowdStrike introduced Threat AI, an agentic threat intelligence system of autonomous agents that reason across data, hunt for threats, and take action. As part of our vision for the agentic SOC, these AI-powered agents automate complex intelligence workflows so defenders can keep up with AI-powered adversaries while staying in control of every decision.

Ransomware attacks increased by 17.2% percent year-over-year in 2025, with the group Qlin dominating the threat landscape, according to data generated by the LevelBlue SpiderLabs team. These attacks focused primarily on the manufacturing and technology sectors, with the US by far being the most targeted nation. 2025 continued the trend of yearly increases; however, over the last few years, the rate of attacks has somewhat slowed.

Over 90% of parked domains now direct users to malicious content, compared to less than 5% a decade ago, according to researchers at Infoblox. “Parking threats are fueled by lookalike domains,” Infoblox explained. “No domain is immune. When one of our researchers tried to report a crime to the FBI’s Internet Crime Complaint Center (IC3), they accidentally visited ic3gov. Their phone was quickly redirected to a false “Drive Subscription Expired” page.

The end-of-year holiday period is traditionally a time for code freezes and quiet rotations; however, it is also a favored window for opportunistic attackers. Threat actors love the holidays; they know that with development teams out of the office and response times naturally lagging, a small window opens for them to test new exploits without immediate detection. Recently, a security researcher discovered a new, contained variant of Shai-Hulud, dubbed "The Golden Path" (v3.0).

Remote Access Trojans (RATs) continue to be one of the most actively traded malware categories across dark web forums. Their appeal lies in flexibility: a single framework can support espionage, credential theft, ransomware staging, or long-term persistence. Recently our team Identified a dark web actor advertised a tool called“noobsaiBOT”, claiming it to be a fully custom, stealth-focused RAT with source code included, priced at$20,000 and offered as a one-time exclusive sale.