A follow-up to a previous article on LoneNone and his PXA Stealer malware where we detail some rare insights into the malware author's back-end operations and the evolution of their capabilities.
Oct 30 - 17 Min Read
When you send phishing campaigns to a security company, you really shouldn't ask LLMs to build your infrastructure.
Oct 27 - 26 Min Read
Beazley Security Labs and SentinelLabs collaborated to investigate a complex delivery & execution chain leading to PXA Stealer
Aug 4 - 19 Min Read
Updated to include discovery of PDFMaker reskin. Beazley Security MXDR Teams recently observed a “free word to PDF converter” exhibit suspicious activity across client environments.
May 28 - 5 Min Read
Late last year, Beazley Security Managed Extended Detection and Response (MXDR) identified and thwarted a threat actor within a client's environment. We previously published our initial analysis that included some of the activity and tools used by the threat actor. In this article, we detail additional findings based on our continued study of telemetry and artifacts related to this breach.
Apr 14 - 9 Min Read
More research coming soon, in the mean time, check out our advisories
On December 9th, text editor application Notepad++ reported an incident where some of their software update infrastructure had been hijacked to deliver sophisticated backdoor malware to specific targets. Rapid7 published some additional analysis on one of the payloads delivered and attributed the campaign to Chinese state sponsored APT group Lotus Blossom.
Feb 4 - 3 Min Read
On February 4, 2025, Beyond Trust reported in their Customer Portal that a critical vulnerability was discovered affecting the Remote Support (RS) and Privileged Remote Access (PRA) products. At time of writing, there was no CVE assigned and no public information on the vulnerability, but it is being tracked by the vendor as BT26-02.
Feb 4 - 2 Min Read
On January 29th, Ivanti published an advisory concerning two vulnerabilities (tracked as CVE-2026-1281 and CVE-2026-1340) in their Endpoint Manager Mobile (EPMM) product. Both vulnerabilities were listed as remote command injection bugs that allow successful attackers to perform unauthenticated remote code execution (RCE) on an affected device. EPMM is often deployed directly connected to the internet, and as such can provide threat actors with initial access to an organizations network. Ivanti confirmed in their advisory that a “very limited number of customers” had been exploited at time of disclosure. Additionally, CISA added both vulnerabilities to their Known Exploited Vulnerabilities list the same day.
Jan 29 - 4 Min Read
On January 27th, Fortinet published an advisory alerting users to an authentication bypass actively being used in the wild against FortiCloud SSO. This vulnerability being separate to but closely affiliated to (CVE-2025-59718 and CVE-2025-59719) from December 2025 warrant immediate action.
Jan 27 - 4 Min Read
On January 23, CISA updated their Known Exploited Vulnerability (KEV) catalog with a critical Local File Inclusion (LFI) vulnerability in Zimbra Collaboration (ZCS). This vulnerability, tracked as CVE-2025-68645 and originally reported on December 22nd, allows unauthenticated remote attackers to include arbitrary files from the WebRoot directory by crafting malicious requests to an endpoint in the RestFilter servlet. This can potentially leak enough information to breach the targeted server and provide threat actors initial access into an organizations network.
Jan 23 - 2 Min Read