The DeadLock ransomware operation has existed since mid-2025, with most of the first reported sightings in mid-July, according to ThreatScene. Their report mentioned the group “now conducts double extortion” following a subsequent analysis in September 2025, which revealed newer DeadLock payloads…
WatchGuard telemetry identified a campaign associated to Grandoreiro that uses the DLL Side-Loading technique abusing four different softwares, targeting banks in Portugal. Also, it was identified cases of a known campaign that uses a malicious VBS to deliver the malware, targeting companies in…
On April 27, 2026, a ransomware written in Golang was submitted to VirusTotal that appended the '.sorry' string to the encrypted filenames. Upon initial review, this was not the same as the 2018 Sorry ransomware, which was built using the open-source HiddenTear encryptor. This was novel, and that…
A newly disclosed Windows zero-day, dubbed RedSun, is the latest reminder that attackers do not need to break in if they can simply escalate. Discussed in Episode 367 of The 443 podcast, this vulnerability highlights how trusted system processes can be manipulated to gain full system-level access…
WatchGuard telemetry identified two different phishing campaigns targeting Greek, Spanish, Slovenian, Bosnian and Latin and Central American companies, that use different techniques to delivery FormBook malware. FormBook is a data-stealing malware that targets Windows systems, primarily distributed…
Artificial intelligence is no longer just a productivity multiplier. It is becoming a force multiplier for cybersecurity, and potentially for cyber risk. In Episode 366 of The 443, Marc Laliberte and Corey Nachreiner discuss three developments that together paint a clear picture of where the…
When a high-profile code leak hits the internet, the first reaction is usually fascination. Developers want to inspect it. Researchers want to understand how it works. Security teams want to know whether the exposure creates downstream risk. But threat actors often move faster than all three. That…
Most organizations are still focused on stopping attackers at the perimeter. But that’s not how modern attacks are working anymore. In Episode 364 of the 443 Podcast, three stories stood out not as isolated incidents, but as signals of a broader shift in how attackers operate: A potential US ban on…
The Green Blood Group was both the group name and the encryptor name of this operation. The group, or threat actor, operated for about a month, between January 2026 and February 2026. Although it's likely operations began shortly before that, possibly towards the end of 2025. During that time, at…
WatchGuard telemetry identified some malicious files being downloaded by victims, and almost all of them originated in Venezuela, indicating a possible malicious campaign targeting companies in this country. The malicious files are distributed via phishing emails that have a SVG file with a filename…