Beazley Security Labs and SentinelLabs collaborated to investigate a complex delivery & execution chain leading to PXA Stealer
Aug 4 - 19 Min Read
Updated to include discovery of PDFMaker reskin. Beazley Security MXDR Teams recently observed a “free word to PDF converter” exhibit suspicious activity across client environments.
May 28 - 5 Min Read
Late last year, Beazley Security Managed Extended Detection and Response (MXDR) identified and thwarted a threat actor within a client's environment. We previously published our initial analysis that included some of the activity and tools used by the threat actor. In this article, we detail additional findings based on our continued study of telemetry and artifacts related to this breach.
Apr 14 - 9 Min Read
Beazley Security has seen attackers disabling EDR solutions leveraging Windows Defender Access Control Policies in the wild. 🫨
Mar 6 - 3 Min Read
Threat Actor abusing free Cloudflare Argo Tunnels for C2 contained by Beazley Security MDR.
Nov 13 - 9 Min Read
More research coming soon, in the mean time, check out our advisories
On August 4th, SonicWall support published an advisory concerning an increase in threat activity targeting their Gen 7 Firewall product lineup, specifically with the SSLVPN component enabled.
Aug 5 - 7 Min Read
On July 23, 2025, SonicWall released three newly disclosed vulnerabilities in SonicWall’s Secure Mobile Access (SMA) 100 series devices: CVE-2025-40596, CVE-2025-40597, and CVE-2025-40598. The vulnerabilities, if successfully exploited, range from allowing unauthenticated attackers to perform Denial of Service (DoS) attack to executing arbitrary JavaScript code. The vulnerabilities were found and reported to SonicWall by a third-party cyber security firm, and SonicWall quickly released patches through normal update channels. Additionally, SonicWall has not confirmed active exploitation of vulnerabilities at the time of this writing. However, the reporting security firm has published proof-of-concept details and technical walkthroughs, increasing likelihood of active exploitation.
Jul 29 - 4 Min Read
On July 18, 2025, CrushFTP confirmed active exploitation of a zero-day vulnerability impacting its secure file transfer platform. Identified as CVE‑2025‑54309, the flaw allows remote attackers to bypass authentication mechanisms and gain unauthorized access to vulnerable servers.
Jul 22 - 5 Min Read
Microsoft's SharePoint on-premise servers are vulnerable to an unauthorized Remote Code Exploit that is being actively exploited. CVE-2025-53770 dubbed "Toolshell" was found in the wild July 18th 2025 and requires immediate mitigation for those running on-premise SharePoint Servers.
Jul 21 - 6 Min Read
Cloud Software Group, the holding company of Citrix, recently disclosed multiple critical vulnerabilities affecting Citrix NetScaler ADC and Gateway products, with the most severe being CVE-2025-6543 and CVE-2025-5777. These vulnerabilities allow unauthenticated attackers to perform memory overflow attacks.
Jun 25 - 5 Min Read