Forescout Research –
Threat Reports

What We Are Monitoring

Forescout’s Vedere Labs threat research team issues threat reports about topical cyber activities, attacks or vulnerabilities that impact the cybersecurity community at large. The reports include a summary of the incidents and main threat actors, followed by a technical analysis of each incident, list of common vulnerabilities and exposures (CVEs) and affected software, indicators of compromise (IOCs) and mitigation recommendations.


Subscribe to Threat Notifications


2024 Riskiest Devices

Jun. 10, 2024
In 2024, attackers are crossing OT and IT siloes to find entry points across the full spectrum of devices, operating systems and embedded firmware. This year marks our fourth annual Riskiest Connected Devices report detailing the most concerning assets in the enterprise across 10 major vertical industries and by global region.

Better Safe Than Sorry - Proactively identifying at-risk, internet-exposed OT/ICS

Apr. 23, 2024

A recent wave of attacks by the Iranian-affiliated Cyber Av3ngers hacktivist group targeted Israeli-made Unitronics Programmable Logic Controllers (PLCs) around the world. Our research takes a fresh look at the topic by examining the nuanced evolution of exposed OT/ICS data from 2017
to 2024.

Connect:fun Detailing an exploitation campaign targeting FortiClient EMS via CVE-2023-48788

Apr. 11, 2024

In a new threat briefing, Forescout Research – Vedere Labs details an exploitation campaign targeting organizations running Fortinet’s FortiClient EMS which is vulnerable to CVE-2023-48788. We are designating this campaign Connect:fun because of the use of ScreenConnect and Powerfun as post-exploitation tools – our first-ever named campaign…

2023 Global Threat Roundup Report: Trends in cyberattacks, exploits, and malware

Jan. 24, 2024

Throughout last year, the ongoing conflicts and the emergence of new ones, alongside the exploitation of critical vulnerabilities and the growing threat of cybercrime, stood out as pivotal events. Forescout Research – Vedere Labs conducted a thorough analysis of attack-related data and the 2023 threat landscape impacting critical infrastructure. The result is a detailed report providing organizations with tactical insights and strategic recommendations to fortify their defense strategies.

Clearing the Fog of War

Jan. 11, 2024

During geopolitical conflict, criminals, state-sponsored actors and other adversaries take advantage of the chaos to drive new vulnerabilities into the cyber-landscape. In two distinct regions, Denmark and Ukraine, the energy sector has fallen victim. Forescout Research – Vedere Labs conducted an independent analysis of these attacks, delivering new insights and new evidence of the root causes and published its findings in this report, “Clearing the Fog of War.”

DarkGate Loader Malspam Campaign

Oct. 4, 2023

Forescout Vedere Labs has been tracking a new phishing campaign that is abusing Microsoft Teams functionality to send malicious attachments. This Instant Messaging Spam campaign (often called SPIM) was first observed in late August 2023, when Microsoft Teams phishing messages were seen being sent using compromised external Office 365 accounts to other unconnected organizations.

2023H1 Threat Review: Vulnerabilities, Threat Actors and Malware

Sept. 6, 2023

Forescout Vedere Labs looks back at the most relevant cybersecurity events and data during 2023H1 to shed light on the evolving threat landscape and offer mitigation steps. Observations involving building automation devices, network infrastructure and NAS devices confirm increasing threats to unmanaged devices.

Vedere Labs Riskiest Devices

The Riskiest Connected Devices in 2023

Jul. 13, 2023

Since 2020, Forescout Research has been tracking the riskiest devices on organizations’ networks. Our reports are entirely based on data coming directly from connected devices. Throughout the years, we have noticed that although many device types are consistently in these lists – such as IP cameras, VoIP equipment and programmable logic controllers (PLCs) – due either to their inherent criticality or to the persistent lack of attention from security teams, there are other devices whose current risk level reflect developments in the threat landscape.

MOVEit Report

Mass Exploitation of MOVEit Transfer Critical Vulnerability

Jun. 13, 2023

This report analyzes the mass exploitation of CVE-2023-34362, a critical vulnerability in MOVEit Transfer software, a widely adopted managed file transfer (MFT) solution that enables organizations to securely exchange files with their business partners and customers.

Threat Roundup

2022 Threat Roundup Report: The Emergence of Mixed IT/IoT Threats

Mar. 28, 2023

In 2022, cyberattacks grew in intensity, sophistication and frequency. The adoption of new connected devices by organizations in 2023 is likely to pose even greater challenges. To help organizations of all sizes prepare, Forescout’s Vedere Labs has analyzed data gathered in 2022 about cyberattacks, exploits and malware and shared insights via our 2022 Threat Roundup.

Common Ransomware TTPS

Common Ransomware TTPS

Mar. 22, 2023

Forescout’s Vedere Labs analyzes TTPs commonly used in ransomware attacks and gives specific mitigation recommendations, including detection with Forescout XDR. While the TTPs used have remained mostly constant, ransomware has been evolving rapidly since 2020, with the increased use of double extortion, zero-day exploits and targeted attacks on specific organizations vs. casting a wide net.

VMWare Esxi Servers Threat Report

VMware ESXi Servers: A Major Attack Vector for Ransomware

Mar. 9, 2023

Vedere Labs provides details on the recent ransomware campaign targeting VMware ESXi virtualization servers, or hypervisors, and analyzes two payloads used in these attacks: variants of the Royal and Clop ransomware. We also present the TTPs used by attackers in this campaign, discuss mitigation recommendations and list IOCs that can be used for detection or threat hunting.

Royal Ransomware – Analysis of One of the Most Active Ransomware Groups in Late 2022 and Early 2023

Jan. 10, 2023

The Royal ransomware threat actor group, initially tracked as DEV-0569, emerged in early 2022 and has been very active in late 2022-early 2023. It uses double extortion to gain access to a victim’s environment, encrypt their data, exfiltrate sensitive data and demand a ransom to decrypt files. This report analyzes the group’s encryptor payload and TTPs and presents threat hunting opportunities for network defenders.

The Increasing Threat Posed by Hacktivist Attacks: An Analysis of Targeted Organizations, Devices and TTPs

Dec. 1, 2022

Hacktivists expanded their arsenal in 2022 to become much more than a nuisance to critical infrastructure owners – and reach into unexpected industries thanks to the widespread use of IoT and OT equipment. This report describes examples of active hacktivist groups; presents the device types, specific models and protocols these groups have targeted; discusses their TTPs and provides mitigation recommendations.

Threat Briefing: Riskiest Devices

The Riskiest Connected Devices in Enterprise Networks

Oct. 12, 2022

In this report, Vedere Labs identifies the five riskiest connected devices in four categories: IT, IoT, OT and IoMT. We update our findings from 2020 with new entries such as hypervisors and human machine interfaces that represent trends including critical vulnerability and increased OT connectivity.

Research Report Internet Exposure Of Medical Devices And Systems

Internet Exposure of Medical Devices and Systems

Sept. 26, 2022

Vedere Labs found more than 7,000 exposed medical devices and systems on the internet, including PACS, healthcare integration engines, EMRs and medication dispensing systems.

Industroyer2 and INCONTROLLER (PIPEDREAM): In-depth Technical Analysis of the ICS-specific Malware

Jul. 13, 2022

Industroyer2 leverages OS-specific wipers and a dedicated module to communicate over the IEC-104 industrial protocol. INCONTROLLER is a full toolkit containing modules to send instructions to or retrieve data from ICS devices using industrial network protocols, such as OPC UA, Modbus, CODESYS, Machine Expert Discovery and Omron FINS. Additionally, Industroyer2 has a highly targeted configuration, while INCONTROLLER is much more reusable across different targets.

Killnet: Analysis of Attacks from a Prominent Pro-Russian Hacktivist Group

Jun. 2, 2022

In this threat report, Forescout’s Vedere Labs analyzes attacks by pro-Russian hacktivist group Killnet and shows how to mitigate risk of DDoS and other attacks. Killnet stands out as one of the most active groups since Russian invaded Ukraine and has gained notoriety for DDoSing the websites of western critical infrastructure operators such as airports, banks, energy providers and governmental agencies.


R4IoT - Ransomware Evolution

Jun. 1, 2022

In this report, Vedere Labs demonstrates R4IoT: a proof of concept for next-generation ransomware that exploits IoT devices for initial access, targets IT devices to deploy ransomware and cryptominers, and leverages poor OT security practices to cause physical disruption to business operations.

Emotet: The Return of the World’s Most Dangerous Malware

May. 12, 2022

According to CISA, Emotet is among the most costly and destructive malware used against the private and public sectors, and Europol calls it the world’s most dangerous malware. This report shows the result of a dynamic analysis of an Emotet Epoch4 loader sample and presents a list of IoCs extracted from that sample, with recommended mitigations.

Analysis of an ALPHV Incident

Apr. 22, 2022

This report analyzes the files and tools used by an affiliate of the ALPHV ransomware group (aka BlackCat) during an attack that involved penetrating a SonicWall firewall and encrypting a VMware ESXi environment. New findings break down the malware’s sophisticated behavior and present ways to avoid damage.

Night Sky Ransomware

Apr. 12, 2022

The Night Sky ransomware was first reported by MalwareHunterTeam on January 1, 2022. Victims were asked to contact the attackers on contact[.]nightsky[.]cyou to pay for the ransom. If the victims refused to pay, attackers threatened to expose their data on a leak site. This is known as a double extortion ransomware. Night Sky provides an interesting view into the relationships among several ransomware families.


Mar. 30, 2022

LAPSUS$ is a hacking group that has been active since 2021 and has breached several high-profile organizations, starting with major Brazilian government agencies and companies, then moving on to global businesses such as Microsoft, Nvidia and Okta. This loose collective of hackers is notable for using social engineering techniques and focusing on data exfiltration and public extortion rather than data encryption. This briefing reports on the group’s victims, methods and indicators of compromise, and provides mitigation recommendations.

Analysis of Conti Leaks

Mar. 11, 2022

This report is the result of an analysis of the chats, tutorials and tools used by the Conti ransomware groups and leaked via the Twitter handle “ContiLeaks” since the end of February 2022. The report presents intelligence about the group’s organization, attack techniques and victims which can help network defenders to detect and mitigate attacks from Conti and other similar ransomware groups. It does not rely on automatic translation of leaked chats…

Monitoring Cyber Activities Connected to The Russian-Ukrainian Conflict

Mar. 3, 2022

Vedere Labs, Forescout’s threat intelligence and research team, is closely monitoring the evolution of cyber activities connected to the Russian-Ukrainian conflict. We continue to gather information regarding active threats; tactics, techniques and procedures (TTPs); Indicators of Compromise (IoCs); and mitigations.

Top Defense Evasion Techniques

Jul. 25, 2022

An analysis of the top 10 observed defense evasion techniques used by adversaries in malware campaigns and recommendations for detection and mitigation.

TrickBot Banking Trojan

Apr. 8, 2021

An analysis of TrickBot, a dangerous, customizable banking trojan distributed via spear phishing –artifacts and behaviors, techniques, monitoring and mitigation.

The Underlying Risks Found in Healthcare Devices

The Underlying Risks Found in Healthcare Devices

May 2021

Vedere Labs analyzed Device Cloud data from healthcare organizations to determine how TCP/IP stack vulnerabilities affect them. The report details 20 significant findings and provides four critical recommendations to mitigate risks to your organization.

Formbook Infostealer

Feb. 23, 2021

An analysis of Formbook infostealer malware – main execution stages and techniques, key artifacts and behaviors, attachment types and exploited vulnerabilities.

Thanos Ransomware

Jul. 17, 2020

An analysis of the Thanos RaaS, which users can customize to suit their needs. It can evade detection, encrypt and exfiltrate data, and spread over a LAN.


Oct. 19, 2020

An analysis of TeamTNT, the 1st cryptojacking worm to steal AWS credentials, including its main attack phases, artifacts, techniques and goals.


Sept. 1, 2020

An analysis of TA505 APT, known for largescale, worldwide spam campaigns that distribute malware; including its attack vectors, techniques and characteristics.

SunCrypt Ransomware

Sept. 23, 2020

An analysis of a fileless variant of SunCrypt ransomware that uses the PowerShell process to extract and run a SunCrypt payload, making it hard to detect.

StrongPity Spyware

Aug. 7, 2020

An analysis of the StrongPity spyware distributed by the Promethium advanced persistence threat (APT) through spear phishing and watering hole attacks.

PonyFinal Ransomware

Jun. 15, 2020

An analysis of the techniques used by PonyFinal, a Java-based ransomware that targets large organizations.

Maze Ransomware

Jul. 7, 2020

An analysis of the Maze group and multiple variants of its ransomware, which targets Windows systems of large companies and publishes victims’ sensitive data.

Kinsing Cloud Cryptojacker

Apr. 27, 2021

An analysis of the Kinsing cloud cryptojacker, a hard-to-detect Linux-based malware, along with best practices for prevention, detection and mitigation.

Egregor Ransomware

Jan. 29, 2021

An analysis of the Egregor RaaS group and the techniques it uses to gain access, avoid detection and exfiltrate data to extort large companies.


Jul. 2, 2020

How to detect and mitigate CVE-2020-5902, a BIG-IP remote code execution (RCE) vulnerability that has a CVSSv2 score of 10.0 – CRITICAL.

Linux Ransomware

Mar. 2022

An analysis of prominent Linux ransomware variants, which rely on vulnerability exploitation for infection, with a detailed look at REvil RaaS.

Agent Tesla RAT

Feb. 8, 2021

An analysis of the Agent Tesla remote access trojan (RAT), a popular keylogger and information stealer, with recom AgentTesla RAT mendations for detection and mitigation.

Enterprise Things Report

Enterprise of Things Security Report: The State of IoT Security in 2020

Jun. 25, 2021

Vedere Labs identifies the top 10 riskiest devices and helps security teams determine the most effective next steps to secure them.

The APT36 Crimson Remote Access Trojan (RAT)

Dec. 9, 2020

An analysis of multiple variants of APT36’s Crimson remote access trojan (RAT), which exfiltrates files and system data and transfers it to its C2 server.

From Events to TTPs: Maturing OT Incident Response with MITRE ATT&CK for ICS

May 2020

The growing threat landscape for operational technology (OT) networks, exemplified by a number of recent ransomware attacks, has prompted critical infrastructure organizations to better prepare themselves for impactful cyber incidents. To do this, stakeholders responsible for critical infrastructure and services are maturing their security operations centers (SOCs) and increasing their use of cyber threat intelligence (CTI). Many now consider adversarial Tactics, Techniques and Procedures (TTPs) to be their most valuable CTI tool.

Putting Healthcare Security Under the Microscope

Putting Healthcare Security Under the Microscope

May 28 2019

The Internet of Medical Things (IoMT) continues to offer exciting possibilities for healthcare organizations to improve patient care. However, this digital transformation and increase in connectivity is also introducing new privacy and security risks. The device landscape is growing exponentially, adding to the complexity of networks
and making it difficult to manage and improve their security posture.

Credential Harvesting Attacks

May 1, 2020

An analysis of the techniques used to craft spear phishing attacks to steal user credentials, and the most effective ways to detect and prevent them.

Banking on IoT Security Leveraging Device Data to Manage Risk in Financial Services

Banking on Security: Leveraging Device Data to Manage Risk in Financial Services

April 2020

Forescout’s Research team analyzed device deployments from some of the world’s leading financial institutions and identified disturbing findings that indicate a lack of maturity in key areas such as device visibility and network segmentation. The research suggests that many banking and retail devices are within proximity of non-traditional (IoT and OT) devices, exposing networks to elevated opportunities for attackers to move laterally between critical infrastructure and the data center.

APT 10

Jul. 1, 2019

An analysis of Chinese cyber espionage group APT10 including the utilities, malware, and tools and TTPs it uses to steal trade secrets and intellectual property.


Forescout can help detect vulnerable instances of Log4j in your environment, patch or update software, identify ongoing exploits, and segment devices from the network. Review additional resources and articles on how best to protect your environment from vulnerabilities around Log4j.

Learn More


Given the widespread nature of the SolarWinds breach, Vedere Labs has proactively conducted a thorough security review to validate the integrity of our product binaries and security of our software delivery chain.

Learn More
Demo RequestForescout PlatformTop of Page