A follow-up to a previous article on LoneNone and his PXA Stealer malware where we detail some rare insights into the malware author's back-end operations and the evolution of their capabilities.
Oct 30 - 17 Min Read
When you send phishing campaigns to a security company, you really shouldn't ask LLMs to build your infrastructure.
Oct 27 - 26 Min Read
Beazley Security Labs and SentinelLabs collaborated to investigate a complex delivery & execution chain leading to PXA Stealer
Aug 4 - 19 Min Read
Updated to include discovery of PDFMaker reskin. Beazley Security MXDR Teams recently observed a “free word to PDF converter” exhibit suspicious activity across client environments.
May 28 - 5 Min Read
Late last year, Beazley Security Managed Extended Detection and Response (MXDR) identified and thwarted a threat actor within a client's environment. We previously published our initial analysis that included some of the activity and tools used by the threat actor. In this article, we detail additional findings based on our continued study of telemetry and artifacts related to this breach.
Apr 14 - 9 Min Read
More research coming soon, in the mean time, check out our advisories
On November 11th, Citrix published an advisory detailing a critical vulnerability in their NetScaler ADC and NetScaler Gateway lines of products. This bug (tracking as CVE-2025-12101) is a cross-site scripting (XSS) vulnerability on NetScaler ADC or NetScaler Gateway devices when the appliance is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server. These devices are typically deployed as internet facing by design, so this vulnerability can be used by threat actors to gain initial access to an organization’s internal network.
Nov 11 - 2 Min Read
On November 4th, the Cybersecurity and Infrastructure Security Agency (CISA) added a critical vulnerability within CentOS Web Panel (CWP) to its known exploited vulnerabilities (KEV) database, meaning it is being actively exploited in the wild.
Nov 6 - 5 Min Read
On October 23rd, Microsoft issued an out-of-band security update to address a previously reported vulnerability identified as CVE-2025-59287. This vulnerability affects the Windows Server Update Service (WSUS) component and may allow unauthorized attackers to execute remote code on WSUS servers. If exploited, threat actors could use this vulnerability to distribute malicious software to Windows systems that are configured to receive updates from the compromised WSUS server. The out-of-band update was likely in response to proof-of-concept (PoC) exploit code published by cyber security company HawkTrace, followed by reports of exploit attempts from threat actor groups in-the-wild observed by cyber security company Huntress.
Oct 24 - 4 Min Read
On October 17th, open-source web proxy project Squid published an advisory concerning an information disclosure vulnerability in their popular Squid proxy software. The vulnerability can be leveraged to reveal confidential, internal authentication material to unauthorized parties. The vulnerability was also assigned the highest possible CVSS risk score of 10.0. Squid proxies are commonly deployed internet facing by design, and compromised authentication material could grant threat actors initial access into an organization’s network.
Oct 20 - 2 Min Read
On October 15th, vendor F5 publicly disclosed a security breach impacting their internal environment and resulting in a threat actor exfiltrating sensitive data about their BIG-IP product line including source code, engineering documentation, and undisclosed vulnerability data. We examine the impact of the breach and review the vulnerabilities that F5 has now addressed in their response to the breach.
Oct 15 - 10 Min Read