Articles
CMD Organization – New Ransomware Operator Moves to Place Public Bidding Wars on Ransomed Data
In April, Beazley Security’s incident response team was called in after a newly surfaced affiliate calling themselves CMD Organization deployed ransomware and exfiltrated data from a victim organization. By way of adding a bidding platform within its leak site, the group allows potential buyers to participate directly in the extortion process. In this post, we document what our responders uncovered about CMD Organization and explore their leaksite.
May 14 - 12 Min Read
Vect 2.0: An Insider Perspective On The New Ransomware Variant
An insider look at Vect 2.0, a rapidly emerging ransomware-as-a-service operation that has gone from forum post to full-fledged platform in a matter of months. We walk through the affiliate panel, commission structure, and the technical capabilities of its Windows and ESXi lockers.
Apr 24 - 18 Min Read
Pay2Key Iranian-Linked Ransomware is Back, Back Again
In late February, Beazley Security's Incident Response team responded to a ransomware intrusion at a U.S. healthcare organization attributed to Pay2key, an Iranian government-linked threat actor that has operated since 2020. Upon investigation, the attacker had maintained access to a compromised admin account for several days before deploying ransomware and encrypting the environment within three hours.
Mar 24 - 25 Min Read
Chasing a Ghost : PXA Stealer Part 2
A follow-up to a previous article on LoneNone and his PXA Stealer malware where we detail some rare insights into the malware author's back-end operations and the evolution of their capabilities.
Oct 30 - 17 Min Read
Quantum Redirect: Offense by Vibes
When you send phishing campaigns to a security company, you really shouldn't ask LLMs to build your infrastructure.
Oct 27 - 26 Min Read
Advisories
Critical Authentication Bypass in SimpleHelp (CVE-2026-48558)
A critical SimpleHelp RMM remote authentication bypass was released June 12th which allows attackers to create privileged Technician accounts and grant control of SimpleHelp instance
Jun 16, 2026 - 3 Min Read
Critical Vulnerability in Oracle PeopleSoft Enterprise PeopleTools Under Active Exploitation (CVE-2026-35273)
On June 10th Oracle released a security advisory impacting the Environment Management component within Oracle’s PeopleSoft application. The vulnerability, now publicly tracked as CVE-2026-35273, has been reportedly actively exploited as early as May 27th 2026.
Jun 11, 2026 - 3 Min Read
Critical Vulnerabilities in Ivanti Sentry & EPMM (CVE-2026-6973, CVE-2026-10727, CVE-2026-10520, CVE-2026-10523)
Ivanti published two advisories covering 4 CVEs across their Endpoint Manager Mobile (EPMM) and Ivanti Sentry products that range from authentication bypass to remote code execution.
Jun 10, 2026 - 3 Min Read
Check Point VPN Authentication Bypass Under Active Exploitation (CVE-2026-50751 CVE-2026-50752)
On June 8th 2026, Check Point Research identified two CVEs (CVE-2026-50751, CVE-2026-50752) which can be abused to bypass Checkpoint VPN Authentication services, allowing threat actors to access network devices and traffic behind the VPN. These vulnerabilities were found under active exploitation in the wild by attackers that Check Point research attributed with medium confidence to be Qilin ransomware affiliates.
Jun 8, 2026 - 3 Min Read
Critical Vulnerability Disclosed in Drupal Core (CVE-2026-9082)
Update May 20th, 2026: Drupal recently updated their security advisory with additional technical details and an official CVE to reference a critical vulnerability in Drupal Core. Tracked as CVE-2026-9082, the flaw is due to an SQL injection vulnerability that can be reached through Drupal Core’s database extraction API and only affects deployments using PostgreSQL databases.
May 20, 2026 - 4 Min Read