FortiGuard Labs Threat Research

From CI/CD to Cloud Data: How Shai Hulud Persistence Leads to Redshift Breach

Fri, 26 Jun 2026 13:00:00 +0000

See how Shai Hulud-linked CI/CD compromise exposed Jenkins credentials, enabled AWS escalation, and led to Redshift breach activity detected by FortiCNAPP

Threat Actors Weaponize AI Hype to Deliver AsyncRAT

Thu, 11 Jun 2026 13:00:00 +0000

FortiGuard Labs analyzes a multi-stage malware campaign that uses fake AI-themed documents, hidden PowerShell scripts, AutoHotkey loaders, and process injection to deploy AsyncRAT and maintain remote access.

Cybercriminals Are Targeting the FIFA World Cup 2026

Thu, 4 Jun 2026 13:00:00 +0000

FortiGuard Labs research shows how cybercriminals are exploiting the demand for the FIFA World Cup 2026 through phishing, fake tickets, malware, impersonation, and credential theft.

Inside the Cross-Platform Propagation of a New Gafgyt Variant C0XMO

Wed, 3 Jun 2026 13:00:00 +0000

FortiGuard Labs analyzes C0XMO, a new Gafgyt variant leveraging DD-WRT exploitation and multi-architecture propagation to expand IoT botnet infections.

Phishing Campaign Deploys JavaScript-Driven PureLogs Variant to Steal Sensitive Data

Tue, 26 May 2026 13:00:00 +0000

FortiGuard Labs analyzed a new phishing campaign that uses obfuscated JavaScript, PowerShell, process hollowing, and PureLogs to steal sensitive data

Misconfigured, Enrolled and Dormant: Anatomy of a P2Pinfect Kubernetes Compromise

Wed, 20 May 2026 13:00:00 +0000

FortiGuard Labs analyzed several P2PInfect compromises in GKE clusters, showing how exposed Redis instances can enable persistent botnet enrollment, dormancy, and cloud runtime risk.

PureLogs: Delivery via PawsRunner Steganography

Fri, 15 May 2026 13:00:00 +0000

FortiGuard Labs has analyzed a steganography-based malware campaign that uses PawsRunner to deliver the PureLogs infostealer, highlighting evolving delivery methods and detection strategies.

Tracking Mirai Variant Nexcorium: A Vulnerability-Driven IoT Botnet Campaign

Fri, 17 Apr 2026 13:00:00 +0000

TBK DVRs targeted by Nexcorium: exploiting, persisting, brute-force attacks, and multi-architecture Mirai-style DDoS in a single campaign. From CVE-2024-3721 exploitation to CVE-2017-17215 reuse, this botnet demonstrates how quickly IoT threats continue to evolve.

DPRK-Related Campaigns with LNK and GitHub C2

Thu, 2 Apr 2026 13:00:00 +0000

Analysis of DPRK-linked LNK-based attacks using GitHub as covert C2 infrastructure, detailing multi-stage PowerShell execution, persistence mechanisms, and data exfiltration techniques targeting Windows environments.

Cyber Fallout After the Strikes: Signal, Noise, and What Comes Next

Wed, 4 Mar 2026 17:00:00 +0000

Following U.S.-Israeli strikes on Iran, FortiGuard Labs has not yet observed large-scale cyber retaliation. However, we observed that regional cyber activity is rising. Organizations should take action to strengthen cyber hygiene, rotate credentials, and reduce exposure.