Researchers at DomainTools look into the current compartmentalization & diversity of the DPRK malware ecosystem. North Korea’s cyber programme evolved deliberately fragmented - optimized for mission specialization, operational resilience & attribution resistance. https://dti.domaintools.com/research/dprk-malware-modularity-diversity-and-functional-specialization

Trend Micro's Jacob Santos, Sophia Nilette Robles & Jeffrey Francis Bonaobra show how an error in Anthropic’s Claude Code npm release was weaponized into an AI-themed campaign to distribute Vidar stealer and GhostSocks proxy malware. https://www.trendmicro.com/en_us/research/26/d/weaponizing-trust-claude-code-lures-and-github-release-payloads.html

Rapid7 researchers discovered seven new variants of BPFDoor, a stealthy kernel-level backdoor that uses Berkeley Packet Filters (BPFs) to inspect traffic from right inside the operating system kernel. https://www.rapid7.com/blog/post/tr-new-whitepaper-stealthy-bpfdoor-variants/

ASEC reports that Kimsuky has changed how it distributes malicious LNK files. While the end goal remains the same - execution of a Python-based backdoor or downloader - the group has reworked the intermediate stage into a more complex multi-step chain. https://asec.ahnlab.com/en/93151/

Team Cymru profiles Yurei, a double extortion ransomware campaign active since Sept 2025, with links to Prince Ransomware and possible ties to SatanLockv2. Despite its low public victim count, the exposed operator toolkit shows initial access, discovery, credential theft, defence evasion, and lateral movement. https://www.team-cymru.com/post/yurei-double-extortion-ransomware-campaign-toolkit

The BitSight Threat Research Team examines the Phorpiex botnet’s Twizt variant, focusing on its current TTPs, recent targets, and the new payloads. The write-up underlines how this long-running botnet continues to adapt and remain a relevant threat. https://www.bitsight.com/blog/ransomware-twizt-inside-phorpiex-botnet

Elastic Security Labs shows why static detection often fails against Linux rootkits, even with only trivial binary changes. The article covers shared object loading, dynamic linker abuse, LKM activity, eBPF, io_uring, persistence, and defence evasion. https://www.elastic.co/security-labs/linux-rootkits-2-caught-in-the-act

Proofpoint Threat Research Team reports that China-aligned TA416 resumed targeting European government and diplomatic organizations from mid-2025. They also observed a March 2026 expansion into Middle Eastern diplomatic and government entities, alongside evolving PlugX delivery chains. https://www.proofpoint.com/us/blog/threat-insight/id-come-running-back-eu-again-ta416-resumes-european-government-espionage

Microsoft Defender Security Research Team reports a WhatsApp-delivered malware campaign that uses malicious VBS files to kick off a multi-stage infection chain. The activity blends social engineering and living-off-the-land techniques, pulling payloads from AWS, Tencent Cloud & Backblaze B2 before installing malicious MSI packages. https://www.microsoft.com/en-us/security/blog/2026/03/31/whatsapp-malware-campaign-delivers-vbs-payloads-msi-backdoors/