PT ESC Threat Intelligence
Exchange mutations. Malicious code in Outlook pages
In May 2024, specialists from the Incident Response team at the Positive Technologies Expert Security Center (PT Expert Security Center) discovered an attack using an unknown keylogger injected into the home page of a compromised Exchange Server. In 2025, the Threat Intelligence team, in collaboration with the Vulnerability Analysis team from the PT Expert Security Center, observed similar attacks with no modifications made to the original keylogger code. Further analysis of the JavaScript code on the Outlook login page and its comparison with the source code of compromised pages, revealed several anomalies not typical for a standard Exchange Server authentication process.
Read full reportTeam46 and TaxOff: two sides of the same coin
In March 2025, the Threat Intelligence Department of the Positive Technologies Expert Security Center (PT ESC) analyzed an attack that exploited a Google Chrome zero-day vulnerability (sandbox escape), which was registered around the same time and has since been tracked as CVE-2025-2783. Researchers from Kaspersky described the exploitation of this vulnerability and the attack itself, but the subsequent infection chain remained unattributed.
Read full reportOperation Phantom Enigma
At the beginning of 2025, threat intelligence specialists of the Positive Technologies Security Expert Center discovered a malicious email offering to download a file from a suspicious website. The identified attack chain leads to the installation of a malicious extension for the Google Chrome browser, targeting users in Brazil.
Read full reportCrypters And Tools. Part 2: Different Paws — Same Tangle
In the first part of our research, we analyzed the crypter, Crypters And Tools, which we discovered during investigations into attacks carried out by various threat actors. That article focused on the crypter's internal architecture and its supporting infrastructure. In this second part, we turn our attention to the threat groups that have leveraged the crypter in real-world attacks, their interconnections and distinguishing characteristics, as well as to some of the individual users of Crypters And Tools — several of them appear to be affiliated with the threat groups discussed.
Read full reportCrypters And Tools. One tool for thousands of malicious files
This article is for informational purposes only and does not encourage or condone illegal activities. Our goal is to report on an existing tool used by cybercriminals to generate malicious attack chains aimed at breaching organizations and to warn about the widespread use of such tools globally.
Read full reportDesert Dexter. Attacks on Middle Eastern countries
In February, the Threat Intelligence Department team at the Positive Technologies Expert Security Center (PT ESC) discovered a malicious campaign targeting the Middle East and North Africa and active since September 2024. To distribute malware, the attackers create fake news groups on social media and publish advertisements containing links to a file-sharing service or Telegram channel. These links lead to a version of the AsyncRAT malware, modified to look for cryptocurrency wallets and communicate with a Telegram bot. A similar campaign was described by Check Point in 2019, but some of the techniques used in the kill chain have evolved since then.
Read full reportThe evolution of Dark Caracal tools: analysis of a campaign featuring Poco RAT
In early 2024, analysts at the Positive Technologies Expert Security Center (PT ESC) discovered a malicious sample. The cybersecurity community named it Poco RAT after the POCO libraries in its C++ codebase. At the time of its discovery, the sample had not been linked to any known threat group.
Read full reportMalicious packages deepseeek and deepseekai published in Python Package Index
As part of our threat research and monitoring efforts, the Supply Chain Security team of the Threat Intelligence department of the Positive Technologies Expert Security Center (PT ESC) detected and prevented a malicious campaign in the Python Package Index (PyPI) package repository. The attack targeted developers, ML engineers, and ordinary AI enthusiasts who might be interested in integrating DeepSeek into their systems.
Read full reportCloud Atlas: sheet happens
In November 2024, employees of a Russian government agency discovered a phishing campaign and turned to the PT ESC IR team for assistance in investigating the malicious activity.
Read full reportTaxOff: um, you've got a backdoor...
In Q3 2024, the Positive Technologies Expert Security Center (PT ESC) TI Department discovered a series of attacks on Russian government agencies. We were unable to establish any connection with known groups using the same techniques. The main goal was espionage and gaining a foothold to follow through on further attacks. We dubbed the group TaxOff because of their legal and finance-related phishing emails leading to a backdoor written in at least C++17, which we named Trinper after the artifact used to communicate with C2.
Read full reportGet in touch
Fill in the form and our specialists
will contact you shortly