Labs Archive

PhantomCaptcha | Multi-Stage WebSocket RAT Targets Ukraine in Single-Day Spearphishing Operation

Tom Hegel / October 22, 2025

SentinelLABS uncovers a coordinated spearphishing campaign targeting organizations critical to Ukraine's war relief efforts.

LABScon

LABScon25 Replay | Auto-Poking The Bear: Analytical Tradecraft In The AI Age

LABScon / October 9, 2025

AI agents promise speed, but at what cost to trust? Dreadnode’s Wendiggensen & Palm unpack this dilemma through a hands-on study of leaked Russian data.

Security Research

Prompts as Code & Embedded Keys | The Hunt for LLM-Enabled Malware

Alex Delamotte, Vitaly Kamluk & Gabriel Bernadett-Shapiro / September 19, 2025

LLM-enabled malware poses new challenges for detection. SentinelLABS presents groundbreaking research on how to hunt for this new class of threats.

Adversary

Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms

Aleksandar Milenkoski, Sreekar Madabushi (Validin) & Kenneth Kinion (Validin) / September 4, 2025

DPRK-aligned threat actors abuse CTI platforms to detect infrastructure exposure and scout for new assets.

Crimeware

Smart Contract Scams | Ethereum Drainers Pose as Trading Bots to Steal Crypto

Alex Delamotte / August 5, 2025

Crypto scammers use fake YouTube bots, AI videos, and obfuscated smart contracts to steal $900K+, targeting unwary traders.

Advanced Persistent Threat

Ghost in the Zip | New PXA Stealer and Its Telegram-Powered Ecosystem

Jim Walter, Alex Delamotte, Beazley Security’s Francisco Donoso, Sam Mayers, Tell Hause & Bobby Venal / August 4, 2025

PXA Stealer uses advanced evasion and Telegram C2 to steal global victim data, fueling a thriving cybercrime market.

Advanced Persistent Threat

China’s Covert Capabilities | Silk Spun From Hafnium

Dakota Cary / July 30, 2025

China-linked hackers used patented spyware tech from front companies tied to Hafnium, exposing gaps in cyber threat attribution.

25 MKTG Comms Blog 022 Generic LABS Blog Images 07

Advanced Persistent Threat

macOS NimDoor | DPRK Threat Actors Target Web3 and Crypto Platforms with Nim-Based Malware

Phil Stokes & Raffaele Sabato / July 2, 2025

NimDoor shows how threat actors are continuing to explore cross-platform languages that introduce new levels of complexity for analysts.

Advanced Persistent Threat

Follow the Smoke | China-nexus Threat Actors Hammer At the Doors of Top Tier Targets

Aleksandar Milenkoski & Tom Hegel / June 9, 2025

This report uncovers a set of related threat clusters linked to PurpleHaze and ShadowPad operators targeting organizations, including cybersecurity vendors.

Security Research

FreeDrain Unmasked | Uncovering an Industrial-Scale Crypto Theft Network

Tom Hegel, Kenneth Kinion (Validin) & Sreekar Madabushi (Validin) / May 8, 2025

FreeDrain is a modern, scalable phishing operation exploiting weaknesses in free publishing platforms to steal cryptocurrency on a global scale.

LABScon25 Replay | LLM-Enabled Malware In the Wild

PhantomCaptcha | Multi-Stage WebSocket RAT Targets Ukraine in Single-Day Spearphishing Operation

LABScon25 Replay | Auto-Poking The Bear: Analytical Tradecraft In The AI Age

Prompts as Code & Embedded Keys | The Hunt for LLM-Enabled Malware

Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms

Smart Contract Scams | Ethereum Drainers Pose as Trading Bots to Steal Crypto

Ghost in the Zip | New PXA Stealer and Its Telegram-Powered Ecosystem

China’s Covert Capabilities | Silk Spun From Hafnium

macOS NimDoor | DPRK Threat Actors Target Web3 and Crypto Platforms with Nim-Based Malware

Follow the Smoke | China-nexus Threat Actors Hammer At the Doors of Top Tier Targets

FreeDrain Unmasked | Uncovering an Industrial-Scale Crypto Theft Network