Articles
Pay2Key Iranian-Linked Ransomware is Back, Back Again
In late February, Beazley Security's Incident Response team responded to a ransomware intrusion at a U.S. healthcare organization attributed to Pay2key, an Iranian government-linked threat actor that has operated since 2020. Upon investigation, the attacker had maintained access to a compromised admin account for several days before deploying ransomware and encrypting the environment within three hours.
Mar 24 - 25 Min Read
Chasing a Ghost : PXA Stealer Part 2
A follow-up to a previous article on LoneNone and his PXA Stealer malware where we detail some rare insights into the malware author's back-end operations and the evolution of their capabilities.
Oct 30 - 17 Min Read
Quantum Redirect: Offense by Vibes
When you send phishing campaigns to a security company, you really shouldn't ask LLMs to build your infrastructure.
Oct 27 - 26 Min Read
Ghost in the Zip | New PXA Stealer and Its Telegram-Powered Ecosystem
Beazley Security Labs and SentinelLabs collaborated to investigate a complex delivery & execution chain leading to PXA Stealer
Aug 4 - 19 Min Read
PDFast Compromise - PDFMaker Reskin Update
Updated to include discovery of PDFMaker reskin. Beazley Security MXDR Teams recently observed a “free word to PDF converter” exhibit suspicious activity across client environments.
May 28 - 5 Min Read
Advisories
Critical Supply Chain Attack of NPM Package Axios
On March 30th, An NPM supply chain attack was performed on the widely used NPM package Axios. Axios is one of the most ubiquitous JavaScript libraries. The attack involves a malicious cross-platform Remote Access Trojan (RAT) to macOS, Windows, and Linux systems.
Mar 30 - 2 Min Read
Critical Vulnerability Under Active Exploitation in F5 BIG-IP APM (CVE-2025-53521)
On March 28th, F5 published an advisory updating the severity of a previously reported vulnerability in BIG-IP APM (CVE-2025-53521) to a CVSS score of 9.8. Initially classified as a denial-of-service (DoS) vulnerability, it was discovered that the bug was instead being actively used for remote code execution (RCE). BIG-IP devices are commonly deployed on network perimeters, so successful compromise can provide threat actors initial access into an organization’s network.
Mar 30 - 2 Min Read
Critical Vulnerability in Citrix NetScaler ADC and Gateway Security Products (CVE-2026-3055)
On March 23rd, Citrix published an advisory detailing a critical severity vulnerability in their NetScaler ADC and Gateway products. The vulnerability, tracked as CVE-2026-3055, and with a CVSS score of 9.3 allows an unauthenticated attacker to cause a memory overread in the device potentially disclosing sensitive information.
Mar 23 - 4 Min Read
Critical Vulnerability in Oracle Identity Manager and Web Services Manager (CVE-2026-21992)
Oracle has released an emergency out-of-band patch for a critical remote code execution vulnerability affecting Oracle Identity Manager (OIM) and Oracle Web Services Manager (OWSM). The vulnerability is tracked as CVE-2026-21992 and is rated at a critical CVSS score of 9.8.
Mar 23 - 3 Min Read
Critical Vulnerability in Microsoft SharePoint under Active Exploitation (CVE-2026-20963)
On March 18th, 2026, CISA added a Microsoft SharePoint vulnerability tracked as CVE-2026-20963 to its Known Exploited Vulnerabilities (KEV) catalog, confirming that the vulnerability is now being actively exploited in the wild.
Mar 20 - 3 Min Read