The PolySwarm Blog

Verticals Targeted: None specified
Regions Targeted: United States, United Kingdom, Canada, Denmark, Panama, Kuwait
Related Families: HelloKitty

Verticals Targeted: Not specified
Regions Targeted: Middle East
Related Families: None

Executive Summary

A novel Android spyware family, dubbed Landfall, leveraged a zero-day vulnerability in Samsung's image processing library to compromise Galaxy devices. The campaign, active since mid-2024, enabled extensive surveillance capabilities and remained undetected until historical samples were analyzed post-patch.

Verticals Targeted: None Specified
Regions Targeted: Ukraine
Related Families: FRUITSHELL, PROMPTFLUX, PROMPTLOCK, PROMPTSTEAL, QUIETVAULT

Executive Summary

Industry researchers have noted the emergence of AI-integrated malware that queries large language models during runtime to generate code, obfuscate payloads, and adapt behaviors. This evolution extends beyond productivity aids, enabling nation state actors and cybercriminals to enhance intrusion chains with dynamic capabilities. Associated malware includes FRUITSHELL, PROMPTFLUX, PROMPTLOCK, PROMPTSTEAL, and QUIETVAULT.

Verticals Targeted: Business Process Outsourcing (BPO)
Regions Targeted: Not Specified
Related Families: None

Executive Summary

Airstalk is a new Windows malware family deployed by a suspected nation-state actor in supply chain attacks, leveraging AirWatch API for covert C2 to exfiltrate browser data. Available in PowerShell and .NET variants, the malware highlights evolving threats to third-party vendors.

Verticals Targeted: Government
Regions Targeted: Middle East, North Africa
Related Families: Phoenix, FakeUpdate

Executive Summary

A sophisticated phishing operation has been attributed to the Iran-linked APT MuddyWater, deploying an updated Phoenix backdoor to conduct espionage against government and international entities. The campaign leverages compromised mailboxes and macro-enabled Word documents to deliver custom injectors and persistence mechanisms, highlighting the group's reliance on trusted channels for initial access.

Verticals Targeted: NGOs, Policy Advisors, Dissidents
Regions Targeted: Not Specified
Related Families: LOSTKEYS, COLDCOPY, YESROBOT, MAYBEROBOT

Executive Summary

Industry researchers have identified new malware families, including NOROBOT, YESROBOT, and MAYBEROBOT, deployed by the Russian state-sponsored group COLDRIVER, targeting high-value individuals in NGOs, policy advisors, and dissidents. This rapid retooling, observed after the May 2025 disclosure of LOSTKEYS, showcases COLDRIVER’s evolving tactics to evade detection while maintaining aggressive intelligence collection.

Verticals Targeted: Telecommunications
Regions Targeted: Europe
Related Families:  SNAPPYBEE (Deed RAT)

Executive Summary

Salt Typhoon, a China-linked advanced persistent threat (APT) group, has been targeting global critical infrastructure using sophisticated tactics like DLL sideloading and zero-day exploits. Recent activity targeted a European telecommunications entity.

Verticals Targeted: Not specified
Regions Targeted: Sri Lanka
Related Families: BeaverTail, OtterCookie, InvisibleFerret

Executive Summary

Famous Chollima, a DPRK-aligned threat group, has evolved its arsenal, with BeaverTail and OtterCookie increasingly merging functionalities to steal credentials and cryptocurrency via deceptive job offers. A recent campaign involved a trojanized Node.js application distributed through a malicious NPM package, highlighting the group's adaptation in delivery methods.