Articles

CMD Organization – New Ransomware Operator Moves to Place Public Bidding Wars on Ransomed Data

In April, Beazley Security’s incident response team was called in after a newly surfaced affiliate calling themselves CMD Organization deployed ransomware and exfiltrated data from a victim organization. By way of adding a bidding platform within its leak site, the group allows potential buyers to participate directly in the extortion process. In this post, we document what our responders uncovered about CMD Organization and explore their leaksite.

May 14 - 12 Min Read

Vect 2.0: An Insider Perspective On The New Ransomware Variant

An insider look at Vect 2.0, a rapidly emerging ransomware-as-a-service operation that has gone from forum post to full-fledged platform in a matter of months. We walk through the affiliate panel, commission structure, and the technical capabilities of its Windows and ESXi lockers.

Apr 24 - 18 Min Read

Pay2Key Iranian-Linked Ransomware is Back, Back Again

In late February, Beazley Security's Incident Response team responded to a ransomware intrusion at a U.S. healthcare organization attributed to Pay2key, an Iranian government-linked threat actor that has operated since 2020. Upon investigation, the attacker had maintained access to a compromised admin account for several days before deploying ransomware and encrypting the environment within three hours.

Mar 24 - 25 Min Read

Chasing a Ghost : PXA Stealer Part 2

A follow-up to a previous article on LoneNone and his PXA Stealer malware where we detail some rare insights into the malware author's back-end operations and the evolution of their capabilities.

Oct 30 - 17 Min Read

Quantum Redirect: Offense by Vibes

When you send phishing campaigns to a security company, you really shouldn't ask LLMs to build your infrastructure.

Oct 27 - 26 Min Read

Advisories

SharePoint Vulnerabilities Under Active Exploitation, CISA Urges SharePoint Hardening

(CVE-2026-55040, CVE-2026-58644, CVE-2026-32201, CVE-2026-45659, CVE-2026-56164)

Jul 14, 2026 - 6 Min Read

Critical Vulnerability in SonicWall SMA1000 Appliances Under Active Exploitation (CVE-2026-15409)

On July 14th, 2026, SonicWall PSIRT disclosed a critical vulnerability affecting SMA1000 secure remote access appliances. Tracked as CVE-2026-15409, SonicWall confirmed this vulnerability is being actively exploited in the wild and CISA has added it to its Known Exploited Vulnerabilities (KEV) catalog.

Jul 14, 2026 - 3 Min Read

Emerging Threat: Progress Customers Instructed to Shut Down Storage Zone Controllers

Progress Software issued an emergency communication via email to customers, urging immediate server shutdown citing a “credible external security threat targeting Progress Software’s ShareFile Storage Zone Controllers.”

Jul 10, 2026 - 4 Min Read

Vulnerabilities Found in Page Builder CK (CVE-2026-48908) and SP Page Builder (CVE-2026-56290)

Critical vulnerabilities have been found in two Joomla plugins, leading to maximum severity CVE-2026-56290 and CVE-2026-48908, both already added to CISA's KEV catalog.

Jul 8, 2026 - 5 Min Read

Critical Vulnerabilities in BeyondTrust Remote Support and Privileged Remote Access (CVE-2026-40138, CVE-2026-40139)

Two pre-authentication flaws CVE-2026-40138 and CVE-2026-40139 disclosed in BeyondTrust Remote Support and Privileged Remote Access let attackers bypass authentication and reach the appliance, including privileged accounts, when a specific authentication configuration is enabled.

Jul 7, 2026 - 2 Min Read