Check Point Research

Key Findings: Introduction Check Point Research (CPR) identified an ongoing phishing campaign that we associate with KONNI, a North Korean–linked threat actor active since at least 2014. KONNI is best known for targeting organizations and individuals in South Korea, with a focus on diplomatic channels, international relations, NGOs, academia, and government. The group typically relies […]

The post KONNI Adopts AI to Generate PowerShell Backdoors appeared first on Check Point Research.

Key Points Introduction When we first encountered VoidLink, we were struck by its level of maturity, high functionality, efficient architecture, and flexible, dynamic operating model. Employing technologies like eBPF and LKM rootkits and dedicated modules for cloud enumeration and post-exploitation in container environments, this unusual piece of malware seemed to be a larger development effort […]

The post VoidLink: Evidence That the Era of Advanced AI-Generated Malware Has Begun appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 19th January, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Spanish energy company Endesa has disclosed a data breach after unauthorized access to a commercial platform used to manage customer information. Media report attackers listed over 1 terabyte of data, including IBANs, […]

The post 19th January – Threat Intelligence Report appeared first on Check Point Research.

Key findings Introduction In December 2025, a previously unknown Ransomware-as-a-Service (RaaS) operation calling itself Sicarii began advertising its services across multiple underground platforms. The group’s name references the Sicarii, a 1st-century Jewish assassins group that opposed Roman rule in Judea. From its initial appearance, the Sicarii ransomware group distinguished itself through unusually explicit and persistent use of Israeli […]

The post Sicarii Ransomware: Truth vs Myth appeared first on Check Point Research.

Key takeaways VoidLink – a Cloud-First Malware Framework In December 2025, Check Point Research identified a small cluster of previously unseen Linux malware samples that appear to originate from a Chinese-affiliated development environment. Many of the binaries included debug symbols and other development artifacts, suggesting we were looking at in-progress builds rather than a finished, […]

The post Unveiling VoidLink – A Stealthy, Cloud-Native Linux Malware Framework appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 12th January, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Manage My Health, New Zealand’s largest patient portal, has acknowledged a cyberattack occurred on December 2025, that potentially exposed data of nearly 110K users. An alleged attacker, dubbed Kazu, claimed responsibility and […]

The post 12th January – Threat Intelligence Report appeared first on Check Point Research.

Key takeaways Introduction GoBruteforcer is a botnet that turns compromised Linux servers into scanning and password brute-force nodes. It targets internet-exposed services such as phpMyAdmin web panels, MySQL and PostgreSQL databases, and FTP servers. Infected hosts are incorporated into the botnet and accept remote operator commands.  Newly discovered weak credentials are used to steal data, […]

The post Inside GoBruteforcer: AI-Generated Server Defaults, Weak Passwords, and Crypto-Focused Campaigns appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 5th January, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Two US banks, Artisans’ Bank and VeraBank, disclosed that customer data was exposed in an August ransomware attack on their vendor, Marquis Software. The vendor was breached via SonicWall vulnerability, and while […]

The post 5th January – Threat Intelligence Report appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 29th December, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Romanian Waters, the country’s national water management authority, was hit by a ransomware attack that resulted in nearly 1,000 computer systems across national and regional offices being encrypted. The attack affected geographic […]

The post 29th December – Threat Intelligence Report appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 22nd December, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES An adult content platform PornHub has disclosed a data breach linked to analytics provider Mixpanel. The breach exposed more than 200 million records related to Premium users, including email addresses, search, watch, […]

The post 22nd December – Threat Intelligence Report appeared first on Check Point Research.

Research by: Sven Rath (@eversinc33), Jaromír Hořejší (@JaromirHorejsi) Key Points Introduction In a previous publication, we examined the YouTube Ghost Network, a coordinated collection of compromised accounts that abuse the platform to promote malware. In our current research, we analyze one specific campaign of this network, which stood out as the deployed malware implements a previously undocumented PE injection […]

The post GachiLoader: Defeating Node.js Malware with API Tracing appeared first on Check Point Research.

Key Findings Introduction Check Point Research tracks a sustained, highly capable espionage cluster, which we refer to as Ink Dragon, and is referenced in other reports as CL-STA-0049, Earth Alux, or REF7707. This cluster is assessed by several vendors to be PRC-aligned. Since at least early 2023, Ink Dragon has repeatedly targeted government, telecom, and […]

The post Inside Ink Dragon: Revealing the Relay Network and Inner Workings of a Stealthy Offensive Operation appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 15th December, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES The Indian government confirmed cyber incidents involving GPS spoofing at seven major airports, including Delhi, Mumbai, Kolkata, and Bengaluru. The attack affected aircrafts using GPS-based landing procedures. Despite signal disruption to navigation […]

The post 15th December – Threat Intelligence Report appeared first on Check Point Research.

Highlights: Introduction Throughout 2025, we conducted and published several reports related to our research on the Silver Fox APT. In some of them (for example, here), the threat actor delivered the well-known ValleyRAT backdoor, also referred to as Winos or Winos4.0, as the final stage. Since this malware family is widely used, modular, and often associated with Chinese threat actors […]

The post Cracking ValleyRAT: From Builder Secrets to Kernel Rootkits appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 8th December, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES The University of Pennsylvania and the University of Phoenix were hit by data breaches after attackers exploited zero-day vulnerabilities in Oracle E-Business Suite servers. At least 1,488 people at UPenn and numerous […]

The post 8th December – Threat Intelligence Report appeared first on Check Point Research.

By: Dikla Barda, Roman Zaikin, and Oded Vanunu On November 30, 2025, Check Point Research detected a critical exploit targeting Yearn Finance’s yETH pool on Ethereum. Within hours, approximately $9 million was stolen from the protocol. The attacker achieved this by minting an astronomical number of tokens—235 septillion yETH (a 41-digit number)—while depositing only 16 […]

The post The $9M yETH Exploit: How 16 Wei Became Infinite Tokens appeared first on Check Point Research.

By: Isabel Mill & Oded Vanunu OpenAI Codex CLI is OpenAI’s command-line tool that brings AI model-backed reasoning into developer workflows. It can read, edit, and run code directly from the terminal, making it possible to interact with projects using natural language commands, automate tasks, and streamline day-to-day development One of its key features is […]

The post CVE-2025-61260 — OpenAI Codex CLI: Command Injection via Project-Local Configuration appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 1st December, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES OpenAI has experienced a data breach resulting from a compromise at third-party analytics provider Mixpanel, which exposed limited information of some ChatGPT API clients. The leaked data includes names, email addresses, approximate […]

The post 1st December – Threat Intelligence Report appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 24th November, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES The notorious “Scattered LAPSUS$ Hunters” group claimed responsibility for a supply-chain attack involving the Salesforce-integrated platform Gainsight. The group stated that data from 300 organizations was compromised, including Verizon, GitLab and Atlassian. […]

The post 24th November – Threat Intelligence Report appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 17th November, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Cl0p’s Oracle E-Business Suite (CVE-2025-61882) zero-day campaign continues to expand. There are new confirmed breaches at The Washington Post, Logitech, Allianz UK, and GlobalLogic, as well as a newly listed but unconfirmed […]

The post 17th November – Threat Intelligence Report appeared first on Check Point Research.