Security Advisories

Lazarus Group Expands Malware Arsenal with New RAT Families The Lazarus Group, a North Korea–linked advanced persistent threat (APT), has introduced three new malware families — PondRAT, ThemeForestRAT, and RemotePE — into its operational toolkit. The emergence of these tools underscores a broader strategic shift by Lazarus: leveraging enhanced persistence, accelerated lateral movement, and a heightened focus on espionage to reinforce its operational advantage. By actively developing techniques that bypass traditional endpoint defences, the group is extending dwell time within high-value environments such as financial institutions, defence contractors, and critical infrastructure operators. This evolution demonstrates Lazarus’s capacity to outpace conventional detection models and adapt rapidly to advancing security controls. This advisory details the technical capabilities of these malware families, outlines their strategic implications, and provides actionable recommendations for security leaders to strengthen their defensive posture. Download the Full Report from our Blogs page

PS1Bot Loader: Fileless Malware Spread Through Malvertising Ads In August 2025, researchers uncovered a sophisticated malvertising campaign distributing the PS1Bot loader through search engine ads and compromised ad networks. Unsuspecting users searching for popular software were diverted to attacker-controlled domains hosting trojanized installers that mimicked legitimate applications. Once executed, these installers trigger a multi-stage, in-memory infection chain designed to remain invisible to traditional security controls. At its core, the PS1Bot loader employs heavily obfuscated PowerShell and a modular payload delivery mechanism capable of deploying information stealers, remote access trojans (RATs), or ransomware on demand. This campaign exemplifies the broader adversarial trend of abusing living-off-the-land binaries (LOLBins) such as PowerShell and Windows Installer, combined with social engineering through malvertising and SEO poisoning. By avoiding disk artefacts and executing entirely in memory, PS1Bot significantly complicates forensic analysis, impedes signature-based detection, and highlights the growing inadequacy of conventional antivirus solutions against modern, modular malware ecosystems. Download the Full Report from our Blogs page: https://www.cyberstash.com/published-advisories/

Despite continued advancements in endpoint security, from Next-Gen Antivirus (NGAV) to modern EDR and SIEM platforms, many organisations operate under an illusion of protection. In reality, threat actors are in novating faster than defenders can adapt. The emergence of offensive tools like the newly released Zig Strike toolkit reveals just how easily even advanced, policy-compliant security stacks can be bypassed. Zig Strike represents a new generation of open-source red teaming frameworks that are designed not merely to test detection, but to exploit the architectural blind spots of endpoint protection platforms, in cluding Microsoft Defender for Endpoint. Written in the memory-safe, high-performance Zig programming language, the toolkit provides attackers with a web interface for crafting highly evasive payloads that by pass modern AV, NGAV, and EDR solutions through a blend of stealthy injection techniques, compile-time obfuscation, anti-sandbox mechanisms, and entropy reduction.More than a red team utility, Zig Strike is a proof point: even the most hardened environments are susceptible to techniques that operate below the radar of behavioural analytics and machine learning-based detection engines. By leveraging trusted interfaces (e.g. Excel Add-ins), hijacking process threads, fragmenting shellcode across memory, and exploiting legitimate APIs, the toolkit underscores a troubling reality: the modern attacker…