Skip to content

Blog

How attackers are gaining access to LLM inference

This article is based on joint research with Eran Segal, researcher at Kodem Security. The most capable commercial AI models are now useful enough to attackers that they have become an integral part of their kill chain, in multiple steps. The Cybench benchmark tests models on offensive cyber tasks. Its current top performers (Claude Opus 4.6, Claude Sonnet 4.5, Grok 4) can write functional exploit code, reason through credential chains, and sustain complex reconnaissance workflows: multi-step offensive work that previously required human expertise. Malware families are already using this. Instead of generating a payload offline and shipping it, they wire a live LLM API into the malware itself so it can adapt its behavior at runtime on the infected host.

Read more →

June 3, 2026

OrBit (Re)turns: Tracking an Open-Source Linux Rootkit Across Four Years of Forks and Deployments

Introduction In July 2022, we published the first analysis of OrBit, a then-undocumented Linux userland-rootkit that stood out for its comprehensive libc hooking, SSH backdoor access, and PAM-based credential harvesting. At the time, OrBit appeared as a single sample with a single operator fingerprint, and the codebase itself looked customized. It wasn’t. As we will show below, OrBit is a repackaged and selectively weaponized build of Medusa, an open-source LD_PRELOAD rootkit published on GitHub in December 2022. The story of OrBit’s four-year evolution is not one of novel development; it’s the story of how a publicly available rootkit was forked, configured, and redeployed.

Read more →

May 14, 2026

Tracing a Paper Werewolf Campaign Through Ai Generated Decoys and Excel Xlls

An XLL is a native Windows DLL that Excel loads as an add-in, allowing it to execute arbitrary code through exported functions like xlAutoOpen. Since at least mid-2017, threat actors began abusing Microsoft Excel add-ins via the .XLL format, the earliest documented misuse is by the threat group APT10 (aka Stone Panda / Potassium) injecting backdoor payloads via XLLs. Since 2021, a growing number of commodity malware families and cyber-crime actors have added XLL-based delivery to their arsenals. Notable examples include Agent Tesla and Dridex, researchers observed an increase of these malware being dropped via malicious XLL add-ins.

Read more →

December 19, 2025

Frankenstein Variant of the Toneshell Backdoor Targeting Myanmar

ToneShell is a lightweight backdoor tied to the China-nexus group Mustang Panda. Typically delivered via DLL sideloading inside compressed archives with legitimate signed executables and often spread through cloud-hosted lures. Zscaler’s 2025 analysis described updates to its FakeTLS C2 (shifting from TLS 1.2- to 1.3-style headers), use of GUID-based host IDs, a rolling-XOR scheme, and a minimal command set for file staging and interactive shell access. Notably, some of this activity was observed in Myanmar, a region of strategic importance to China. Targeting Myanmar is particularly interesting as it reflects China’s broader geopolitical interests, spanning border security, infrastructure projects, and political developments, and highlights how cyber operations are leveraged to maintain influence in neighboring states.

Read more →

September 10, 2025

Fire in the Woods – A New Variant of FireWood

A new and low-detected variant of the FireWood backdoor was discovered by Intezer’s Research Team, with some changes in the implementation and the configuration of the backdoor. FireWood is a Linux backdoor discovered by ESET’s research team. They linked it to the long‑running “Project Wood” malware lineage, which dates back to at least 2005 and includes usage in the earlier Operation TooHash campaign. It functions as a remote access trojan (RAT) on Linux systems, employing kernel‑level rootkit modules (e.g., usbdev.ko) and TEA‑based encryption to hide its presence, maintain persistence, and communicate covertly with its command‑and‑control infrastructure. Once deployed, likely via web shells left on compromised Linux desktops, it enables attackers to execute commands, exfiltrate sensitive data such as system information and credentials, and operate stealthily over prolonged espionage operations. The backdoor has low confidence connections to the China-aligned Gelsemium APT group, as the overlaps may be coincidental or reflect shared tools across multiple groups.

Read more →

August 13, 2025

Emerging Phishing Techniques New Threats and Attack Vectors

Phishing remains one of the most prevalent and successful attack vectors used by cybercriminals today. It exploits human psychology, leveraging deception to trick users into revealing sensitive information or executing malicious actions. Attackers continuously evolve tactics to bypass modern email and endpoint security solutions, making detecting and mitigating phishing attempts increasingly difficult. And despite advancements in cybersecurity tools, many phishing campaigns still successfully reach users’ inboxes. At Intezer, we triage millions of alerts for enterprises around the globe and have implemented a rigorous quality assurance process to ensure that our verdicts are the most accurate and up-to-date. From this extensive dataset, the Intezer research team is able to pinpoint emerging trends in the phishing and malware ecosystems. That said, our team has observed four phishing threats and techniques gaining traction, all of which successfully bypassed email protections and reached the intended victims. These methods demonstrate the increasing sophistication of threat actors and highlight the need for improved detection mechanisms.

Read more →

April 23, 2025

Weaponized Software Targets Chinese

Overview of the Attack Intezer Labs research team has identified a series of attacks targeting organizations in Chinese-speaking regions like Hong Kong, Taiwan, and China itself. These attacks utilize a multi-stage loader, which we named PNGPlug, to deliver the ValleyRAT payload. A similar attack chain is documented in this report, which sheds light on the infection vector and the method of delivering the malicious files. According to the report, the attack begins with a phishing webpage designed to encourage victims to download a malicious MSI (Microsoft Installer) package disguised as legitimate software.

Read more →

January 16, 2025

Babble Babble Babble Babble Babble Babble BabbleLoader

Loaders, an Ever Evolving Market The pace of innovation and development in the malware detection market is relentless, the same goes for the development of malware itself. Constantly charging and adapting to create ever more evasive and capable payloads. One such sector of this market is the loader (also called crypter or packer) market. In today’s threat landscape, loaders have become a critical tool in cybercrime operations, serving as the backbone for delivering a range of malicious payloads. Loaders are often the first stage in an attack chain, designed to stealthily execute or inject malware, such as info-stealers or ransomware, into a target system. Their prevalence reflects an evolution in tactics, allowing threat actors to evade traditional antivirus defenses through techniques like in-memory execution and anti-analysis features. Widely available for purchase or lease on underground markets, loaders are now a commodity in malware distribution, making sophisticated attack methods accessible to a broader range of actors and adaptable across diverse campaigns and targets.

Read more →

November 17, 2024

Technical Analysis of a Novel IMEEX Framework

The IMEEX framework is a newly discovered, custom-built malware designed to target Windows systems. Delivered as a 64-bit DLL, it offers attackers extensive control over compromised machines. This framework is notable for its robust capabilities, featuring a wide array of functionalities, including execution of additional modules, file manipulation, process management, registry modification, and remote command execution. It also performs system reconnaissance by gathering critical system information, such as hostname, operating system version, volume serial number, and system language, and relays this data to its command-and-control (C2) server.

Read more →

October 10, 2024

WildCard: The APT Behind SysJoker Targets Critical Sectors in Israel

Our research team has identified a new APT group, dubbed “WildCard,” initially detected through its use of the SysJoker malware, which targeted Israel’s educational sector in 2021. WildCard has since expanded its reach, creating sophisticated malware variants disguised as legitimate software, and a recently developed malware called ‘RustDown,’ written in Rust for potential operational advantages. Connections to Operation ElectricPowder indicate WildCard’s advanced capabilities with a focus on critical sectors within Israel. While we’ve begun to understand WildCard’s tactics and methods, their precise identity is still enigmatic, demanding deeper analysis and collaboration within the infosec community.

Read more →

November 27, 2023