Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Dharma, also known as CrySiS, is a long running ransomware family first observed in 2016. It operates as ransomware as a service, where developers lease the malware to affiliates who deploy it. A variant discovered in March 2021 appends the ".biden" extension to encrypted files. This article provides a technical analysis of Dharma, outlines its infection vector, describes its encryption workflow, and offers guidance for mitigation.

Researchers at Palo Alto Networks’ Unit 42 are tracking two new malicious AI tools, WormGPT 4 and KawaiiGPT, that allow threat actors to craft phishing lures and generate ransomware code. These tools are criminal alternatives to mainstream AI tools like ChatGPT, with no safety guardrails to prevent users from using them for malicious activities. The latest version of WormGPT offers lifetime access for $220, or a monthly fee of $50.

The BlueVoyant Security Operations Center (SOC) and Threat Fusion Cell (TFC) team are tracking an adversary luring users into downloading fake Concur browser extensions. The fake browser extension installer contains a FireClient Loader designed to gather host information and send to its command and control (C2) server. If execution succeeds with successful communication to the C2, the loader drops a backdoor BlueVoyant is naming FireClient Backdoor.

Throughout 2025, CrowdStrike has identified multiple intrusions targeting VMware vCenter environments at U.S.-based entities, in which newly identified China-nexus adversary WARP PANDA deployed BRICKSTORM malware. WARP PANDA exhibits a high level of technical sophistication, advanced operations security (OPSEC) skills, and extensive knowledge of cloud and virtual machine (VM) environments.

The Securonix Threat Research team has analyzed a sophisticated web-based multi-stage malware campaign. The attack chain unfolds across three distinct stages: (1) an obfuscated JavaScript loader injected into a compromised website, (2) a stealthy HTA (HTML Application) that executes encrypted PowerShell stagers via mshta.exe, and (3) a final PowerShell payload that downloads, extracts, executes, and establishes persistence for a Windows-based remote access Trojan.

According to our 2025 State of the Underground report, ransomware attacks rose by nearly 25% in 2024, and the number of ransomware group leak sites jumped 53%. This surge sets the stage for a critical question: if compromised, should you pay ransomware demands or not? The stakes are enormous, including downtime, data loss, brand damage, and legal risk all hang in the balance.

A new criminal platform called “Matrix Push C2” is using browser notifications to launch social engineering attacks, according to researchers at BlackFog. “This browser-native, fileless framework leverages push notifications, fake alerts, and link redirects to target victims across operating systems,” the researchers write.