Articles
Chasing a Ghost : PXA Stealer Part 2
A follow-up to a previous article on LoneNone and his PXA Stealer malware where we detail some rare insights into the malware author's back-end operations and the evolution of their capabilities.
Oct 30 - 17 Min Read
Quantum Redirect: Offense by Vibes
When you send phishing campaigns to a security company, you really shouldn't ask LLMs to build your infrastructure.
Oct 27 - 26 Min Read
Ghost in the Zip | New PXA Stealer and Its Telegram-Powered Ecosystem
Beazley Security Labs and SentinelLabs collaborated to investigate a complex delivery & execution chain leading to PXA Stealer
Aug 4 - 19 Min Read
PDFast Compromise - PDFMaker Reskin Update
Updated to include discovery of PDFMaker reskin. Beazley Security MXDR Teams recently observed a “free word to PDF converter” exhibit suspicious activity across client environments.
May 28 - 5 Min Read
Hunting Mice In Tunnels II - Fake CAPTCHAs and Ransomware
Late last year, Beazley Security Managed Extended Detection and Response (MXDR) identified and thwarted a threat actor within a client's environment. We previously published our initial analysis that included some of the activity and tools used by the threat actor. In this article, we detail additional findings based on our continued study of telemetry and artifacts related to this breach.
Apr 14 - 9 Min Read
Advisories
Critical Vulnerability in Ubiquiti Network Application (CVE-2026-22557)
On March 18th, Ubiquiti disclosed a Path Traversal vulnerability in the Unifi Network Application, CVE-2026-22557, which can be leveraged to access the underlying file system and could lead to further modifications and result in compromise of an underlying account.
Mar 18 - 2 Min Read
Known Abuse of Ivanti EPM Authentication Bypass (CVE-2026-1603)
Known Abuse of Ivanti's Endpoint Manager (EPM) Authentication Bypass (CVE-2026-1603) was reported by CISA's Known Exploited Vulnerabilities Catalog (KEV).
Mar 9 - 2 Min Read
Critical Vulnerabilities in Cisco SD-Wan Systems Under Active Exploitation (CVE-2026-20127, CVE-2026-20128, CVE-2026-20122)
Updated 03/09/2026 to include additional CVEs disclosed by Cisco affecting the same product line. On February 25th, Cisco disclosed a critical authentication bypass vulnerability affecting Cisco Catalyst SD-WAN Controller and Manager systems. The flaw allows an unauthenticated attacker with network access to the SD-WAN peering service to bypass authentication and establish unauthorized control-plane connections. This vulnerability has been exploited in the wild according to Cisco by a sophisticated threat actor with evidence of exploitation reaching back to 2023.
Feb 25 - 6 Min Read
Critical Vulnerabilities in Microsoft Windows and Office Under Active Widespread Exploitation (CVE-2026-21510)
Microsoft's February 2026 Patch Tuesday addresses several critical security vulnerabilities, with six zero-day flaws reported as actively exploited in the wild before patches were made available to the public. The disclosed vulnerabilities affect built in Windows components including Windows Shell, MSHTML, Microsoft Word, Windows Notepad, Desktop Window Manager, Remote Desktop Services, and Remote Access Connection Manager.
Feb 11 - 3 Min Read
Critical Vulnerability (CVE-2026-1731) in Beyond Trust Under Active Exploitation
On February 4, 2025, Beyond Trust reported in their Customer Portal that a critical vulnerability was discovered affecting the Remote Support (RS) and Privileged Remote Access (PRA) products. CVE-2026-1731 and a CVSS score of 9.9 have now been assigned to this vulnerability and is under active exploitation.
Feb 4 - 4 Min Read