Beazley Security Labs

Articles

Pay2Key Iranian-Linked Ransomware is Back, Back Again

In late February, Beazley Security's Incident Response team responded to a ransomware intrusion at a U.S. healthcare organization attributed to Pay2key, an Iranian government-linked threat actor that has operated since 2020. Upon investigation, the attacker had maintained access to a compromised admin account for several days before deploying ransomware and encrypting the environment within three hours.

Mar 24 - 25 Min Read

Chasing a Ghost : PXA Stealer Part 2

A follow-up to a previous article on LoneNone and his PXA Stealer malware where we detail some rare insights into the malware author's back-end operations and the evolution of their capabilities.

Oct 30 - 17 Min Read

Quantum Redirect: Offense by Vibes

When you send phishing campaigns to a security company, you really shouldn't ask LLMs to build your infrastructure.

Oct 27 - 26 Min Read

Ghost in the Zip | New PXA Stealer and Its Telegram-Powered Ecosystem

Beazley Security Labs and SentinelLabs collaborated to investigate a complex delivery & execution chain leading to PXA Stealer

Aug 4 - 19 Min Read

PDFast Compromise - PDFMaker Reskin Update

Updated to include discovery of PDFMaker reskin. Beazley Security MXDR Teams recently observed a “free word to PDF converter” exhibit suspicious activity across client environments.

May 28 - 5 Min Read

Advisories

Critical Vulnerability in Citrix NetScaler ADC and Gateway Security Products (CVE-2026-3055)

On March 23rd, Citrix published an advisory detailing a critical severity vulnerability in their NetScaler ADC and Gateway products. The vulnerability, tracked as CVE-2026-3055, and with a CVSS score of 9.3 allows an unauthenticated attacker to cause a memory overread in the device potentially disclosing sensitive information.

Mar 23 - 2 Min Read

Critical Vulnerability in Oracle Identity Manager and Web Services Manager (CVE-2026-21992)

Oracle has released an emergency out-of-band patch for a critical remote code execution vulnerability affecting Oracle Identity Manager (OIM) and Oracle Web Services Manager (OWSM). The vulnerability is tracked as CVE-2026-21992 and is rated at a critical CVSS score of 9.8.

Mar 23 - 3 Min Read

Critical Vulnerability in Microsoft SharePoint under Active Exploitation (CVE-2026-20963)

On March 18th, 2026, CISA added a Microsoft SharePoint vulnerability tracked as CVE-2026-20963 to its Known Exploited Vulnerabilities (KEV) catalog, confirming that the vulnerability is now being actively exploited in the wild.

Mar 20 - 3 Min Read

Critical Vulnerability in Ubiquiti Network Application (CVE-2026-22557)

On March 18th, Ubiquiti disclosed a Path Traversal vulnerability in the Unifi Network Application, CVE-2026-22557, which can be leveraged to access the underlying file system and could lead to further modifications and result in compromise of an underlying account.

Mar 18 - 2 Min Read

Known Abuse of Ivanti EPM Authentication Bypass (CVE-2026-1603)

Known Abuse of Ivanti's Endpoint Manager (EPM) Authentication Bypass (CVE-2026-1603) was reported by CISA's Known Exploited Vulnerabilities Catalog (KEV).

Mar 9 - 2 Min Read