Articles
Vect 2.0: An Insider Perspective On The New Ransomware Variant
An insider look at Vect 2.0, a rapidly emerging ransomware-as-a-service operation that has gone from forum post to full-fledged platform in a matter of months. We walk through the affiliate panel, commission structure, and the technical capabilities of its Windows and ESXi lockers.
Apr 24 - 18 Min Read
Pay2Key Iranian-Linked Ransomware is Back, Back Again
In late February, Beazley Security's Incident Response team responded to a ransomware intrusion at a U.S. healthcare organization attributed to Pay2key, an Iranian government-linked threat actor that has operated since 2020. Upon investigation, the attacker had maintained access to a compromised admin account for several days before deploying ransomware and encrypting the environment within three hours.
Mar 24 - 25 Min Read
Chasing a Ghost : PXA Stealer Part 2
A follow-up to a previous article on LoneNone and his PXA Stealer malware where we detail some rare insights into the malware author's back-end operations and the evolution of their capabilities.
Oct 30 - 17 Min Read
Quantum Redirect: Offense by Vibes
When you send phishing campaigns to a security company, you really shouldn't ask LLMs to build your infrastructure.
Oct 27 - 26 Min Read
Ghost in the Zip | New PXA Stealer and Its Telegram-Powered Ecosystem
Beazley Security Labs and SentinelLabs collaborated to investigate a complex delivery & execution chain leading to PXA Stealer
Aug 4 - 19 Min Read
Advisories
Critical Vulnerability in Progress MOVEit Automation (CVE-2026-4670)
On April 30th, Progress Software published an alert bulletin regarding a critical vulnerability in their widely used file share product MOVEit Automation. The flaw, tracked as CVE-2026-4670, could allow unauthenticated, remote attackers access to affected systems.
Apr 30 - 2 Min Read
Critical Vulnerability in cPanel and WHM Under Active Exploitation (CVE-2026-41940)
On April 29th, cPanel published an emergency advisory concerning CVE-2026-41940, a security issue in “various authentication paths” in all supported versions of the cPanel software. cPanel provided security updates along with their public advisory. Well known hosting providers have confirmed that an exploit is already being used in-the-wild and some have taken the extreme step to firewall off access to the software until security patches could be deployed. Additionally, a few hours after the official cPanel advisory security researchers published a blog with details to produce proof-of-concept exploit code.
Apr 29 - 5 Min Read
Critical Remote Code Execution Vulnerability in FortiClient EMS Under Active Exploitation (CVE-2026-21643)
On April 13th, CISA added a critical remote code execution vulnerability in FortiClient Enterprise Management Server to its Known Exploited Vulnerability (KEV) database. The vulnerability is being tracked as CVE-2026-21643 and is under active exploitation.
Apr 13 - 3 Min Read
Critical Auth Bypass Vulnerability in FortiClient EMS Under Active Exploitation (CVE-2026-35616)
On April 6th, CISA added a critical remote code execution vulnerability in FortiClient Enterprise Management Server to its Known Exploited Vulnerability (KEV) database. The vulnerability is being tracked as CVE-2026-35616 and is under active exploitation.
Apr 6 - 3 Min Read
Critical Vulnerabilities in Progress ShareFile (CVE-2026-2699, CVE-2026-2701)
On April 2nd, 2026, the cybersecurity research company watchTowr publicly disclosed a proof-of-concept exploit for two critical vulnerabilities (CVE-2026-2699 and CVE-2026-2701) affecting Progress ShareFile. When chained together, these vulnerabilities allow an unauthenticated attacker to bypass authentication and achieve remote code execution (RCE) on targeted systems.
Apr 2 - 4 Min Read