A follow-up to a previous article on LoneNone and his PXA Stealer malware where we detail some rare insights into the malware author's back-end operations and the evolution of their capabilities.
Oct 30 - 17 Min Read
When you send phishing campaigns to a security company, you really shouldn't ask LLMs to build your infrastructure.
Oct 27 - 26 Min Read
Beazley Security Labs and SentinelLabs collaborated to investigate a complex delivery & execution chain leading to PXA Stealer
Aug 4 - 19 Min Read
Updated to include discovery of PDFMaker reskin. Beazley Security MXDR Teams recently observed a “free word to PDF converter” exhibit suspicious activity across client environments.
May 28 - 5 Min Read
Late last year, Beazley Security Managed Extended Detection and Response (MXDR) identified and thwarted a threat actor within a client's environment. We previously published our initial analysis that included some of the activity and tools used by the threat actor. In this article, we detail additional findings based on our continued study of telemetry and artifacts related to this breach.
Apr 14 - 9 Min Read
More research coming soon, in the mean time, check out our advisories
On January 29th, Ivanti published an advisory concerning two vulnerabilities (tracked as CVE-2026-1281 and CVE-2026-1340) in their Endpoint Manager Mobile (EPMM) product. Both vulnerabilities were listed as remote command injection bugs that allow successful attackers to perform unauthenticated remote code execution (RCE) on an affected device. EPMM is often deployed directly connected to the internet, and as such can provide threat actors with initial access to an organizations network. Ivanti confirmed in their advisory that a “very limited number of customers” had been exploited at time of disclosure. Additionally, CISA added both vulnerabilities to their Known Exploited Vulnerabilities list the same day.
Jan 29 - 4 Min Read
On January 27th, Fortinet published an advisory alerting users to an authentication bypass actively being used in the wild against FortiCloud SSO. This vulnerability being separate to but closely affiliated to (CVE-2025-59718 and CVE-2025-59719) from December 2025 warrant immediate action.
Jan 27 - 4 Min Read
On January 23, CISA updated their Known Exploited Vulnerability (KEV) catalog with a critical Local File Inclusion (LFI) vulnerability in Zimbra Collaboration (ZCS). This vulnerability, tracked as CVE-2025-68645 and originally reported on December 22nd, allows unauthenticated remote attackers to include arbitrary files from the WebRoot directory by crafting malicious requests to an endpoint in the RestFilter servlet. This can potentially leak enough information to breach the targeted server and provide threat actors initial access into an organizations network.
Jan 23 - 2 Min Read
On January 6th, 2026, CVE-2026-21858 was published by n8n, followed shortly by articles by Dor Attias and Cyera documenting critical flaws in n8n's request parsing. The vulnerability allows an unauthenticated attacker to exfiltrate sensitive data, which can lead to full compromise of the n8n system. If a vulnerable n8n system is directly connected to the internet, this could provide threat actors with initial access to an organizations internal network.
Jan 8 - 2 Min Read
On December 28, 2025, NIST published a critical file upload vulnerability affecting SmarterTools SmarterMail server. The flaw, documented as CVE-2025-52691, carries a maximum CVSS score of 10 and allows remote unauthenticated attackers the ability to upload malicious files to the mail server, potentially leading to remote code execution.
Dec 29 - 3 Min Read