Fortinet Threat Research.
FortiGuard Labs Threat Research Official blog feed of Fortinet
- The TTF Trap: A Global Campaign of a Low-Detection Lua Loaderon July 16, 2026 at 1:00 pm
FortiGuard Labs analyzes a global phishing campaign using obfuscated JScript, disguised .ttf files, and Lua loaders to deliver RATs and infostealers.
- Analysis of Ongoing Ousaban Attacks Targeting the Iberian Peninsulaon July 1, 2026 at 1:00 pm
FortiGuard Labs analyzes a geofenced Ousaban campaign targeting Spain and Portugal with phishing PDFs, steganography, and evasive C2.
- From CI/CD to Cloud Data: How Shai Hulud Persistence Leads to Redshift Breachon June 26, 2026 at 1:00 pm
See how Shai Hulud-linked CI/CD compromise exposed Jenkins credentials, enabled AWS escalation, and led to Redshift breach activity detected by FortiCNAPP
- Threat Actors Weaponize AI Hype to Deliver AsyncRATon June 11, 2026 at 1:00 pm
FortiGuard Labs analyzes a multi-stage malware campaign that uses fake AI-themed documents, hidden PowerShell scripts, AutoHotkey loaders, and process injection to deploy AsyncRAT and maintain remote access.
- Cybercriminals Are Targeting the FIFA World Cup 2026on June 4, 2026 at 1:00 pm
FortiGuard Labs research shows how cybercriminals are exploiting the demand for the FIFA World Cup 2026 through phishing, fake tickets, malware, impersonation, and credential theft.
- Inside the Cross-Platform Propagation of a New Gafgyt Variant C0XMOon June 3, 2026 at 1:00 pm
FortiGuard Labs analyzes C0XMO, a new Gafgyt variant leveraging DD-WRT exploitation and multi-architecture propagation to expand IoT botnet infections.
- Phishing Campaign Deploys JavaScript-Driven PureLogs Variant to Steal Sensitive Dataon May 26, 2026 at 1:00 pm
FortiGuard Labs analyzed a new phishing campaign that uses obfuscated JavaScript, PowerShell, process hollowing, and PureLogs to steal sensitive data
- Misconfigured, Enrolled and Dormant: Anatomy of a P2Pinfect Kubernetes Compromiseon May 20, 2026 at 1:00 pm
FortiGuard Labs analyzed several P2PInfect compromises in GKE clusters, showing how exposed Redis instances can enable persistent botnet enrollment, dormancy, and cloud runtime risk.
- PureLogs: Delivery via PawsRunner Steganographyon May 15, 2026 at 1:00 pm
FortiGuard Labs has analyzed a steganography-based malware campaign that uses PawsRunner to deliver the PureLogs infostealer, highlighting evolving delivery methods and detection strategies.
- Tracking Mirai Variant Nexcorium: A Vulnerability-Driven IoT Botnet Campaignon April 17, 2026 at 1:00 pm
TBK DVRs targeted by Nexcorium: exploiting, persisting, brute-force attacks, and multi-architecture Mirai-style DDoS in a single campaign. From CVE-2024-3721 exploitation to CVE-2017-17215 reuse, this botnet demonstrates how quickly IoT threats continue to evolve.







