PT ESC Threat Intelligence

    In this blog you can find information about current attacks by hacker groups worldwide, analysis of their tools, incident reports, threat actors' TTPs, indicators of compromise, and detection names in our products.

    If you've been hacked, contact the PT ESC Security Expert Center team for incident investigation.

    Contact us

    Exchange mutations. Malicious code in Outlook pages

    In May 2024, specialists from the Incident Response team at the Positive Technologies Expert Security Center (PT Expert Security Center) discovered an attack using an unknown keylogger injected into the home page of a compromised Exchange Server. In 2025, the Threat Intelligence team, in collaboration with the Vulnerability Analysis team from the PT Expert Security Center, observed similar attacks with no modifications made to the original keylogger code. Further analysis of the JavaScript code on the Outlook login page and its comparison with the source code of compromised pages, revealed several anomalies not typical for a standard Exchange Server authentication process.

    Team46 and TaxOff: two sides of the same coin

    In March 2025, the Threat Intelligence Department of the Positive Technologies Expert Security Center (PT ESC) analyzed an attack that exploited a Google Chrome zero-day vulnerability (sandbox escape), which was registered around the same time and has since been tracked as CVE-2025-2783. Researchers from Kaspersky described the exploitation of this vulnerability and the attack itself, but the subsequent infection chain remained unattributed.

    Operation Phantom Enigma

    At the beginning of 2025, threat intelligence specialists of the Positive Technologies Security Expert Center discovered a malicious email offering to download a file from a suspicious website. The identified attack chain leads to the installation of a malicious extension for the Google Chrome browser, targeting users in Brazil.

    Crypters And Tools. Part 2: Different Paws — Same Tangle

    In the first part of our research, we analyzed the crypter, Crypters And Tools, which we discovered during investigations into attacks carried out by various threat actors. That article focused on the crypter's internal architecture and its supporting infrastructure. In this second part, we turn our attention to the threat groups that have leveraged the crypter in real-world attacks, their interconnections and distinguishing characteristics, as well as to some of the individual users of Crypters And Tools — several of them appear to be affiliated with the threat groups discussed.

    Crypters And Tools. One tool for thousands of malicious files

    This article is for informational purposes only and does not encourage or condone illegal activities. Our goal is to report on an existing tool used by cybercriminals to generate malicious attack chains aimed at breaching organizations and to warn about the widespread use of such tools globally.

    Desert Dexter. Attacks on Middle Eastern countries

    In February, the Threat Intelligence Department team at the Positive Technologies Expert Security Center (PT ESC) discovered a malicious campaign targeting the Middle East and North Africa and active since September 2024. To distribute malware, the attackers create fake news groups on social media and publish advertisements containing links to a file-sharing service or Telegram channel. These links lead to a version of the AsyncRAT malware, modified to look for cryptocurrency wallets and communicate with a Telegram bot. A similar campaign was described by Check Point in 2019, but some of the techniques used in the kill chain have evolved since then.

    The evolution of Dark Caracal tools: analysis of a campaign featuring Poco RAT

    In early 2024, analysts at the Positive Technologies Expert Security Center (PT ESC) discovered a malicious sample. The cybersecurity community named it Poco RAT after the POCO libraries in its C++ codebase. At the time of its discovery, the sample had not been linked to any known threat group.

    Malicious packages deepseeek and deepseekai published in Python Package Index

    As part of our threat research and monitoring efforts, the Supply Chain Security team of the Threat Intelligence department of the Positive Technologies Expert Security Center (PT ESC) detected and prevented a malicious campaign in the Python Package Index (PyPI) package repository. The attack targeted developers, ML engineers, and ordinary AI enthusiasts who might be interested in integrating DeepSeek into their systems.

    Cloud Atlas: sheet happens

    In November 2024, employees of a Russian government agency discovered a phishing campaign and turned to the PT ESC IR team for assistance in investigating the malicious activity.

    Kids, Don't Copy! The "New" Techniques of the PhaseShifters Group

    In the process of monitoring attacks on Russian organizations, specialists from the Threat Intelligence department of the Positive Technologies Expert Security Center discovered phishing emails and files addressed to various Russian companies, including state-owned ones. After analyzing the context of the attack, as well as the downloaded malware, we were able to attribute these files to the PhaseShifters group.

    Positive Technologies Expert Security Center (PT ESC)

    The Positive Technologies Expert Security Center specializes in detecting, responding to, and investigating complex incidents, as well as monitoring the security of corporate systems.

    +200

    experts

    +150

    completed projects

    PT ESC Services

    • Incident response and investigation of information security incidents
    • Retrospective analysis to identify compromise traces
    Learn more about the Service

    Get in touch

    Fill in the form and our specialists will contact you shortly.

    General questions

    We're happy to answer any questions you may have.

    Partnership

    Join us in making the world a safer place.

    Request a pilot

    Test drive our solutions with a customized pilot program.

    Phone number
    Email
    Country