Security Advisories

Advisory • High Priority China-Linked Espionage Threatening Asia-Pacific Critical Communications Persistent loaders (PlugX, Bookworm, Turian) are enabling long-term access to subscriber and core network data across the region. Download Full Report Subscribe for weekly briefings →   The China-linked threat actors are intensifying espionage campaigns across Asia, with telecommunications providers and government networks as prime targets. These operations leverage modernised versions of PlugX, Bookworm, and Turian loaders, all sharing stealthy DLL sideloading and advanced in-memory decryption pipelines. By compromising telecoms and their service providers, adversaries gain access to subscriber data, network management systems, and interconnection gateways—delivering both intelligence and operational leverage. The tradecraft—spear-phishing, stealth persistence, and credential harvesting—enables long-term footholds that are difficult to detect or eradicate. For enterprises, this represents a sustained risk of data exfiltration, service disruption, and systemic exposure across critical infrastructure. What makes this campaign particularly dangerous is the convergence of multiple malware families into a shared ecosystem of loaders and toolkits, enabling adversaries to scale operations with minimal innovation. This ecosystem approach ensures persistence across borders, sectors, and technologies—posing not just a cybersecurity risk, but a direct challenge to regional resilience and national sovereignty. Read more: Download the full report

Lazarus Group Expands Malware Arsenal with New RAT Families The Lazarus Group, a North Korea–linked advanced persistent threat (APT), has introduced three new malware families — PondRAT, ThemeForestRAT, and RemotePE — into its operational toolkit. The emergence of these tools underscores a broader strategic shift by Lazarus: leveraging enhanced persistence, accelerated lateral movement, and a heightened focus on espionage to reinforce its operational advantage. By actively developing techniques that bypass traditional endpoint defences, the group is extending dwell time within high-value environments such as financial institutions, defence contractors, and critical infrastructure operators. This evolution demonstrates Lazarus’s capacity to outpace conventional detection models and adapt rapidly to advancing security controls. This advisory details the technical capabilities of these malware families, outlines their strategic implications, and provides actionable recommendations for security leaders to strengthen their defensive posture. Download the Full Report from our Blogs page

PS1Bot Loader: Fileless Malware Spread Through Malvertising Ads In August 2025, researchers uncovered a sophisticated malvertising campaign distributing the PS1Bot loader through search engine ads and compromised ad networks. Unsuspecting users searching for popular software were diverted to attacker-controlled domains hosting trojanized installers that mimicked legitimate applications. Once executed, these installers trigger a multi-stage, in-memory infection chain designed to remain invisible to traditional security controls. At its core, the PS1Bot loader employs heavily obfuscated PowerShell and a modular payload delivery mechanism capable of deploying information stealers, remote access trojans (RATs), or ransomware on demand. This campaign exemplifies the broader adversarial trend of abusing living-off-the-land binaries (LOLBins) such as PowerShell and Windows Installer, combined with social engineering through malvertising and SEO poisoning. By avoiding disk artefacts and executing entirely in memory, PS1Bot significantly complicates forensic analysis, impedes signature-based detection, and highlights the growing inadequacy of conventional antivirus solutions against modern, modular malware ecosystems. Download the Full Report from our Blogs page: https://www.cyberstash.com/published-advisories/