IntroductionRaspberry Robin, also known as Roshtyak, is a malicious downloader that has been actively targeting systems since 2021 and primarily spreads through infected USB devices. Despite limited public reporting, Raspberry Robin continues to evolve and adopt new techniques to improve its functionality and evade detection. Further insights into Raspberry Robin ... Read More

Ransomware remains one of the most persistent threats facing enterprises and public sector organizations. The latest research from ThreatLabz confirms that attacks are not only increasing in volume, but also shifting toward more targeted, data-driven extortion tactics.The newly released Zscaler ThreatLabz 2025 Ransomware Report examines year-over-year spikes in ransomware activity ... Read More

IntroductionIn June 2025, Zscaler ThreatLabz collaborated with TibCERT to investigate two cyberattack campaigns targeting the Tibetan community. Our analysis linked these attacks, dubbed Operation GhostChat and Operation PhantomPrayers, to a China-nexus APT group, which capitalized on increased online activity around the Dalai Lama's 90th birthday to distribute malware in multi-stage attacks. In ... Read More

IntroductionOn July 19, 2025, Microsoft published an advisory for CVE-2025-53770, a critical zero-day vulnerability that allows unauthenticated attackers to execute arbitrary code impacting on-premises SharePoint servers. The vulnerability, dubbed ToolShell, stems from insecure deserialization of untrusted data in SharePoint’s server-side processing, enabling attackers to craft malicious payloads that compromise the server ... Read More

IntroductionZscaler ThreatLabz researchers recently uncovered AI-themed websites designed to spread malware. The threat actors behind these attacks are exploiting the popularity of AI tools like ChatGPT and Luma AI. These websites are utilizing platforms such as WordPress and are designed to poison search engine rankings and increase the probability of ... Read More

As businesses increasingly rely on cloud-driven platforms and AI-powered tools to accelerate digital transformation, the stakes for safeguarding sensitive enterprise data have reached unprecedented levels. The Zscaler ThreatLabz 2025 Data@Risk Report reveals how evolving technology landscapes are amplifying vulnerabilities, highlighting the critical need for a proactive and unified approach to ... Read More

IntroductionDanaBot is a Malware-as-a-Service (MaaS) platform that has been active since 2018. DanaBot operates on an affiliate model, where the malware developer sells access to customers who then distribute and use the malware for activities like credential theft and banking fraud. The developer is responsible for creating the malware, maintaining ... Read More

IntroductionOn May 22, 2025, international law enforcement agencies released information about additional actions that were taken in conjunction with Operation Endgame, an ongoing, coordinated effort to dismantle and prosecute cybercriminal organizations, including those behind DanaBot. This action mirrors the original Operation Endgame, launched in May 2024, which disrupted SmokeLoader, IcedID, ... Read More

IntroductionZscaler ThreatLabz has identified a new malware loader that we have named TransferLoader, which has been active since at least February 2025. ThreatLabz has identified three different components (a downloader, a backdoor, and a specialized loader for the backdoor) embedded in TransferLoader binaries. In addition, ThreatLabz has observed TransferLoader being ... Read More

IntroductionStealC is a popular information stealer and malware downloader that has been sold since January 2023. In March 2025, StealC version 2 (V2) was introduced with key updates, including a streamlined command-and-control (C2) communication protocol and the addition of RC4 encryption (in the latest variants). The malware’s payload delivery options ... Read More