Articles

CMD Organization – New Ransomware Operator Moves to Place Public Bidding Wars on Ransomed Data

In April, Beazley Security’s incident response team was called in after a newly surfaced affiliate calling themselves CMD Organization deployed ransomware and exfiltrated data from a victim organization. By way of adding a bidding platform within its leak site, the group allows potential buyers to participate directly in the extortion process. In this post, we document what our responders uncovered about CMD Organization and explore their leaksite.

May 14 - 12 Min Read

Vect 2.0: An Insider Perspective On The New Ransomware Variant

An insider look at Vect 2.0, a rapidly emerging ransomware-as-a-service operation that has gone from forum post to full-fledged platform in a matter of months. We walk through the affiliate panel, commission structure, and the technical capabilities of its Windows and ESXi lockers.

Apr 24 - 18 Min Read

Pay2Key Iranian-Linked Ransomware is Back, Back Again

In late February, Beazley Security's Incident Response team responded to a ransomware intrusion at a U.S. healthcare organization attributed to Pay2key, an Iranian government-linked threat actor that has operated since 2020. Upon investigation, the attacker had maintained access to a compromised admin account for several days before deploying ransomware and encrypting the environment within three hours.

Mar 24 - 25 Min Read

Chasing a Ghost : PXA Stealer Part 2

A follow-up to a previous article on LoneNone and his PXA Stealer malware where we detail some rare insights into the malware author's back-end operations and the evolution of their capabilities.

Oct 30 - 17 Min Read

Quantum Redirect: Offense by Vibes

When you send phishing campaigns to a security company, you really shouldn't ask LLMs to build your infrastructure.

Oct 27 - 26 Min Read

Advisories

Critical Memory Corruption Vulnerabilities in NGINX (CVE-2026-42533, CVE-2026-56434, CVE-2026-60005)

F5 has patched three memory-corruption vulnerabilities in NGINX Plus and NGINX Open Source, the most severe of which lets an unauthenticated attacker crash worker processes and, under the right conditions, execute code.

Jul 15, 2026 - 4 Min Read

Critical Vulnerability in Oracle EBS Payments Product Under Active Exploitation (CVE-2026-46817)

On July 15th, 2026, CISA added a critical flaw in Oracle E-Business Suite's Payments module to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation of the vulnerability in the wild.

Jul 15, 2026 - 3 Min Read

SharePoint Vulnerabilities Under Active Exploitation, CISA Urges SharePoint Hardening

(CVE-2026-55040, CVE-2026-58644, CVE-2026-32201, CVE-2026-45659, CVE-2026-56164)

Jul 14, 2026 - 6 Min Read

Critical Vulnerability in SonicWall SMA1000 Appliances Under Active Exploitation (CVE-2026-15409)

On July 14th, 2026, SonicWall PSIRT disclosed a critical vulnerability affecting SMA1000 secure remote access appliances. Tracked as CVE-2026-15409, SonicWall confirmed this vulnerability is being actively exploited in the wild and CISA has added it to its Known Exploited Vulnerabilities (KEV) catalog.

Jul 14, 2026 - 3 Min Read

Emerging Threat: Progress Customers Instructed to Shut Down Storage Zone Controllers

Progress Software issued an emergency communication via email to customers, urging immediate server shutdown citing a “credible external security threat targeting Progress Software’s ShareFile Storage Zone Controllers.”

Jul 10, 2026 - 4 Min Read