Huntress researchers Anna Pham & Michael Tigges write about having observed the use of Nightmare-Eclipse tooling - including BlueHammer, RedSun and UnDefend - during a real-world intrusion investigation. https://www.huntress.com/blog/nightmare-eclipse-intrusion

ReversingLabs looks into QR code phishing, or quishing - a fast-growing attack vector that is actively evolving to bypass traditional defences and detection measures. https://www.reversinglabs.com/blog/qr-code-phishing-evolves

The Acronis Threat Research Unit identified a new variant of the LOTUSLITE backdoor with a theme related to India's banking sector, delivered via DLL sideloading using a legitimate Microsoft-signed executable. https://www.acronis.com/en/tru/posts/same-packet-different-magic-mustang-panda-hits-indias-banking-sector-and-korea-geopolitics/

Netskope's Jan Michael Alcantara looks at a ClickFix campaign targeting both Windows & macOS users and details the infection chain that delivers an AppleScript-based infostealer to macOS users. https://www.netskope.com/jp/blog/macos-clickfix-campaign-applescript-stealers-new-terminal-protections

Trellix researchers analyse PureRAT, a multi-stage fileless RAT utilizing steganography & process hollowing. The modular architecture allows operators to deploy specialized plugins for environmental monitoring, keylogging, or remote desktop access on demand. https://www.trellix.com/blogs/research/purerat-fileless-utilizing-steganography-process-hollowing/

Check Point researchers look into The Gentlemen RaaS program, which is rapidly gaining popularity, attracting numerous affiliates and publicly claiming over 320 victims, with the majority of attacks occurring in the first months of 2026. https://research.checkpoint.com/2026/dfir-report-the-gentlemen/

Splunk Threat Research team is tracking a new malware campaign with a specific loader that’s currently pushing two very different threats at once: Gh0st RAT & CloverPlus adware - giving the attackers long-term control of systems while they make quick profits. https://www.splunk.com/en_us/blog/security/detecting-ghost-rat-cloverplus-adware-loader-analysis.html

DomainTools assesses with high-confidence that personas 'Homeland Justice', 'Karma' & 'Handala' constitute a coordinated, MOIS-aligned cyber influence ecosystem operating under multiple branded identities that serve distinct but complementary operational roles. https://dti.domaintools.com/research/mois-linked-moist-grasshopper-homeland-justice-karmabelow80-handala-hackers-campaigns-and-evolution

Validin Efstratios Lontzetidis & Christos Fotopoulos look into a UNC1069 campaign targeting individuals by luring them into fraudulent meetings hosted by fake companies. The malware used appears to be updated variants of Cabbage RAT. https://www.validin.com/blog/i_cant_hear_you_unc1069/

Huntress Security Operations Center has seen an uptick in incidents involving compromised Bomgar remote monitoring & management (RMM) instances. In some cases threat actors have used the compromised Bomgar instances to deploy the LockBit ransomware. https://www.huntress.com/blog/uptick-bomgar-exploitation