Articles

Ghost in the Zip | New PXA Stealer and Its Telegram-Powered Ecosystem

Beazley Security Labs and SentinelLabs collaborated to investigate a complex delivery & execution chain leading to PXA Stealer

Aug 4 - 19 Min Read

PDFast Compromise - PDFMaker Reskin Update

Updated to include discovery of PDFMaker reskin. Beazley Security MXDR Teams recently observed a “free word to PDF converter” exhibit suspicious activity across client environments.

May 28 - 5 Min Read

Hunting Mice In Tunnels II - Fake CAPTCHAs and Ransomware

Late last year, Beazley Security Managed Extended Detection and Response (MXDR) identified and thwarted a threat actor within a client's environment. We previously published our initial analysis that included some of the activity and tools used by the threat actor. In this article, we detail additional findings based on our continued study of telemetry and artifacts related to this breach.

Apr 14 - 9 Min Read

Disabling EDR With WDAC

Beazley Security has seen attackers disabling EDR solutions leveraging Windows Defender Access Control Policies in the wild. 🫨

Mar 6 - 3 Min Read

Hunting Mice In Tunnels

Threat Actor abusing free Cloudflare Argo Tunnels for C2 contained by Beazley Security MDR.

Nov 13 - 9 Min Read

More research coming soon, in the mean time, check out our advisories

Advisories

Critical Vulnerability in Oracle Under Active Exploitation (CVE-2025-61882)

On October 4th, Oracle reported a critical zero-day vulnerability in Oracle E-Business Suite (EBS) that is under active exploitation by Cl0p ransomware operators. The vulnerability (tracked as CVE-2025-61882) is a critical unauthenticated remote code execution software vulnerability affecting Oracle EBS versions 12.2.3 through 12.2.14, with a CVSS score of 9.8.

Oct 6 - 4 Min Read

High Severity SNMP Vulnerability in Cisco IOS & IOS XE Under Active Exploitation (CVE-2025-20352)

On September 24th, Cisco published an advisory detailing a high severity vulnerability within the Simple Network Management Protocol (SNMP) subsystem in Cisco IOS and Cisco IOS XE devices. The bug, tracked as CVE-2025-20352, is caused by a stack overflow flaw within the SNMP subsystem of the underlying Cisco operating systems and could allow an authenticated attacker with valid “credentials” to cause a denial-of-service (DoS) attack with a valid SNMP read-write string or execute remote code. Cisco’s Product Security Incident Response Team (PSIRT) has confirmed successful exploitation of this vulnerability in the wild.

Sep 26 - 5 Min Read

Current Attack Campaign Leveraging Critical Vulnerabilities Against Cisco ASA & FTD VPN appliances (CVE-2025-20333, CVE-2025-20363)

On September 25, Cisco published several advisories concerning critical vulnerabilities in their Cisco Adaptive Security Appliance (ASA) and FirePower Threat Defense (FTD) product lines. These vulnerabilities have been actively exploited in the wild since earlier this year by a sophisticated adversary. The malicious activity has been attributed to the 2024 "ArcaneDoor" campaign, with current evidence indicating that the same threat actors involved in previous incidents are responsible for the ongoing attacks.

Sep 25 - 15 Min Read

Critical Vulnerability in Fortra GoAnywhere (CVE-2025-10035)

On September 18th, software company Fortra published an advisory detailing a critical vulnerability in their popular managed file transfer application GoAnywhere MFT. The issue is present in the Forta MFT administration interface and affects organizations whose admin interface is accessible from the internet. The vulnerability is related to deserialization and may permit an unauthorized attacker to execute command injection, allowing threat actors to run arbitrary commands on the appliance.

Sep 19 - 2 Min Read

Malicious Worm Code Found in Many NPM Packages

Beazley Security Labs is monitoring a rapidly evolving supply-chain attack in the NPM (Node.js) ecosystem, known as the Shai-Hulud campaign. This attack uses a worm-like malicious payload embedded in compromised NPM packages. Once installed, the payload attempts to harvest secrets such as GitHub and NPM access tokens, as well as cloud credentials for Cloud providers such as AWS, Azure, and Google cloud platform. Once access tokens have been harvested, the worm then uses them to republish malicious versions of any packages the compromised tokens control. It also injects GitHub Actions workflows to enable ongoing data exfiltration and persistence, making this a self-propagating NPM worm that is continuously expanding it is reach and the ability to exfiltrate credentials from a broader set of victims.

Sep 17 - 5 Min Read