Check Point Research

Key takeaways Introduction GoBruteforcer is a botnet that turns compromised Linux servers into scanning and password brute-force nodes. It targets internet-exposed services such as phpMyAdmin web panels, MySQL and PostgreSQL databases, and FTP servers. Infected hosts are incorporated into the botnet and accept remote operator commands.  Newly discovered weak credentials are used to steal data, […]

The post Inside GoBruteforcer: AI-Generated Server Defaults, Weak Passwords, and Crypto-Focused Campaigns appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 5th January, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Two US banks, Artisans’ Bank and VeraBank, disclosed that customer data was exposed in an August ransomware attack on their vendor, Marquis Software. The vendor was breached via SonicWall vulnerability, and while […]

The post 5th January – Threat Intelligence Report appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 29th December, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Romanian Waters, the country’s national water management authority, was hit by a ransomware attack that resulted in nearly 1,000 computer systems across national and regional offices being encrypted. The attack affected geographic […]

The post 29th December – Threat Intelligence Report appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 22nd December, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES An adult content platform PornHub has disclosed a data breach linked to analytics provider Mixpanel. The breach exposed more than 200 million records related to Premium users, including email addresses, search, watch, […]

The post 22nd December – Threat Intelligence Report appeared first on Check Point Research.

Research by: Sven Rath (@eversinc33), Jaromír Hořejší (@JaromirHorejsi) Key Points Introduction In a previous publication, we examined the YouTube Ghost Network, a coordinated collection of compromised accounts that abuse the platform to promote malware. In our current research, we analyze one specific campaign of this network, which stood out as the deployed malware implements a previously undocumented PE injection […]

The post GachiLoader: Defeating Node.js Malware with API Tracing appeared first on Check Point Research.

Key Findings Introduction Check Point Research tracks a sustained, highly capable espionage cluster, which we refer to as Ink Dragon, and is referenced in other reports as CL-STA-0049, Earth Alux, or REF7707. This cluster is assessed by several vendors to be PRC-aligned. Since at least early 2023, Ink Dragon has repeatedly targeted government, telecom, and […]

The post Inside Ink Dragon: Revealing the Relay Network and Inner Workings of a Stealthy Offensive Operation appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 15th December, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES The Indian government confirmed cyber incidents involving GPS spoofing at seven major airports, including Delhi, Mumbai, Kolkata, and Bengaluru. The attack affected aircrafts using GPS-based landing procedures. Despite signal disruption to navigation […]

The post 15th December – Threat Intelligence Report appeared first on Check Point Research.

Highlights: Introduction Throughout 2025, we conducted and published several reports related to our research on the Silver Fox APT. In some of them (for example, here), the threat actor delivered the well-known ValleyRAT backdoor, also referred to as Winos or Winos4.0, as the final stage. Since this malware family is widely used, modular, and often associated with Chinese threat actors […]

The post Cracking ValleyRAT: From Builder Secrets to Kernel Rootkits appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 8th December, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES The University of Pennsylvania and the University of Phoenix were hit by data breaches after attackers exploited zero-day vulnerabilities in Oracle E-Business Suite servers. At least 1,488 people at UPenn and numerous […]

The post 8th December – Threat Intelligence Report appeared first on Check Point Research.

By: Dikla Barda, Roman Zaikin, and Oded Vanunu On November 30, 2025, Check Point Research detected a critical exploit targeting Yearn Finance’s yETH pool on Ethereum. Within hours, approximately $9 million was stolen from the protocol. The attacker achieved this by minting an astronomical number of tokens—235 septillion yETH (a 41-digit number)—while depositing only 16 […]

The post The $9M yETH Exploit: How 16 Wei Became Infinite Tokens appeared first on Check Point Research.

By: Isabel Mill & Oded Vanunu OpenAI Codex CLI is OpenAI’s command-line tool that brings AI model-backed reasoning into developer workflows. It can read, edit, and run code directly from the terminal, making it possible to interact with projects using natural language commands, automate tasks, and streamline day-to-day development One of its key features is […]

The post CVE-2025-61260 — OpenAI Codex CLI: Command Injection via Project-Local Configuration appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 1st December, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES OpenAI has experienced a data breach resulting from a compromise at third-party analytics provider Mixpanel, which exposed limited information of some ChatGPT API clients. The leaked data includes names, email addresses, approximate […]

The post 1st December – Threat Intelligence Report appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 24th November, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES The notorious “Scattered LAPSUS$ Hunters” group claimed responsibility for a supply-chain attack involving the Salesforce-integrated platform Gainsight. The group stated that data from 300 organizations was compromised, including Verizon, GitLab and Atlassian. […]

The post 24th November – Threat Intelligence Report appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 17th November, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Cl0p’s Oracle E-Business Suite (CVE-2025-61882) zero-day campaign continues to expand. There are new confirmed breaches at The Washington Post, Logitech, Allianz UK, and GlobalLogic, as well as a newly listed but unconfirmed […]

The post 17th November – Threat Intelligence Report appeared first on Check Point Research.

Key Findings Ransomware in Q3 2025: RaaS fragmentation increases and Lockbit is back During the third quarter of 2025, we monitored more than 85 active data leak sites (DLS) that collectively listed 1,592 new victims. Compared to the 1,607 victims reported in Q2 2025, the publication rate remained stable though it is still notably higher […]

The post The State of Ransomware – Q3 2025 appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 10th November, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES The US Congressional Budget Office (CBO) has confirmed a cyber attack that resulted in a suspected foreign threat actor breaching its network and potentially exposing sensitive communications between congressional offices and CBO […]

The post 10th November – Threat Intelligence Report appeared first on Check Point Research.

By: Dikla Barda, Roaman Zaikin & Oded Vanunu  On November 3, 2025, Check Point Research’s blockchain monitoring systems detected a sophisticated exploit targeting Balancer V2’s ComposableStablePool contracts. The attacker exploited arithmetic precision loss in pool invariant calculations to drain $128.64 million across six blockchain networks in under 30 minutes. The attack leveraged a rounding error […]

The post How an Attacker Drained $128M from Balancer Through Rounding Error Exploitation appeared first on Check Point Research.

By Andrey Charikov and Oded Vanunu Key Findings: Launched in March 2017, Microsoft Teams has become one of the most widely used communication and collaboration platforms in the world. As part of the Microsoft 365 family, Teams provides workplaces with chat, video conferencing, file storage, and application integration to more than 320 million monthly active […]

The post Exploiting Microsoft Teams: Impersonation and Spoofing Vulnerabilities Exposed appeared first on Check Point Research.

Research by: Alexey Bukhteyev Key takeaways Introduction XLoader is a widely observed malicious loader with information-stealing capabilities. It first surfaced in 2020 as a rebrand of the FormBook code base, a well-known and capable information stealer, and has since undergone substantial hardening and feature growth. In addition to the Windows variant, its developers also marketed […]

The post Beating XLoader at Speed: Generative AI as a Force Multiplier for Reverse Engineering appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 3rd November, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES The Everest ransomware group has claimed responsibility for a series of attacks impacting AT&T, Dublin Airport, and Air Arabia. The ransomware gang exfiltrated sensitive data including 576,000 AT&T applicant records, 1.5 million […]

The post 3rd November – Threat Intelligence Report appeared first on Check Point Research.