A follow-up to a previous article on LoneNone and his PXA Stealer malware where we detail some rare insights into the malware author's back-end operations and the evolution of their capabilities.
Oct 30 - 17 Min Read
When you send phishing campaigns to a security company, you really shouldn't ask LLMs to build your infrastructure.
Oct 27 - 26 Min Read
Beazley Security Labs and SentinelLabs collaborated to investigate a complex delivery & execution chain leading to PXA Stealer
Aug 4 - 19 Min Read
Updated to include discovery of PDFMaker reskin. Beazley Security MXDR Teams recently observed a “free word to PDF converter” exhibit suspicious activity across client environments.
May 28 - 5 Min Read
Late last year, Beazley Security Managed Extended Detection and Response (MXDR) identified and thwarted a threat actor within a client's environment. We previously published our initial analysis that included some of the activity and tools used by the threat actor. In this article, we detail additional findings based on our continued study of telemetry and artifacts related to this breach.
Apr 14 - 9 Min Read
More research coming soon, in the mean time, check out our advisories
On December 3rd, open-source web software library React disclosed a critical vulnerability in the React Server Components (RSC) “Flight” protocol impacting the React 19 ecosystem and frameworks that implement it, most notably Next.js. CVE-2025-55182 (React) and CVE-2025-66478 (Next.js) identify an insecure deserialization bug that can result in unauthenticated remote code execution (RCE) on the web server running node. The bug, found and reported by a security researcher, is present in default configurations of the affected software, so a standard deployment is immediately at risk without any custom hardening or configuration. React and Next.js are widely used across the internet and therefore this vulnerability requires immediate action.
Dec 3 - 5 Min Read
On October 2025, Oracle released a patch advisory for several critical vulnerabilities, including disclosure of a flaw within its Identity Manager product tracked as CVE-2025-61757. On November 20, 2025, Searchlight Cyber published a proof of concept (PoC) write up and shortly after, the U.S Cybersecurity & Infrastructure Security Agency (CISA) confirmed active exploitation of this vulnerability in the wild.
Nov 24 - 4 Min Read
On November 11th, Citrix published an advisory detailing a critical vulnerability in their NetScaler ADC and NetScaler Gateway lines of products. This bug (tracking as CVE-2025-12101) is a cross-site scripting (XSS) vulnerability on NetScaler ADC or NetScaler Gateway devices when the appliance is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server. These devices are typically deployed as internet facing by design, so this vulnerability can be used by threat actors to gain initial access to an organization’s internal network.
Nov 11 - 2 Min Read
On November 4th, the Cybersecurity and Infrastructure Security Agency (CISA) added a critical vulnerability within CentOS Web Panel (CWP) to its known exploited vulnerabilities (KEV) database, meaning it is being actively exploited in the wild.
Nov 6 - 5 Min Read
On October 23rd, Microsoft issued an out-of-band security update to address a previously reported vulnerability identified as CVE-2025-59287. This vulnerability affects the Windows Server Update Service (WSUS) component and may allow unauthorized attackers to execute remote code on WSUS servers. If exploited, threat actors could use this vulnerability to distribute malicious software to Windows systems that are configured to receive updates from the compromised WSUS server. The out-of-band update was likely in response to proof-of-concept (PoC) exploit code published by cyber security company HawkTrace, followed by reports of exploit attempts from threat actor groups in-the-wild observed by cyber security company Huntress.
Oct 24 - 4 Min Read