Research /var/log/messages

Our research findings are for everyone’s benefit.

Featured Publication

Domain-specific prompt injection detection

This article demonstrates a practical approach to detect prompt injection attempts in LLM applications using a domain-specific dataset. We fine-tune a DistilBERT model to train a classifier that is able differentiate between legitimate inputs and potential injection attempts.

Our Publications

August 5, 2024

WEEVILPROXY: An evasive and sophisticated malware campaign silently targeting crypto users across the globe

The malware campaign targets cryptocurrency users, a user base estimated to be in the hundreds of millions which has emerged as a viable and effective lure to infect users and organizations across all sectors alike.

The campaign targets victims globally, with infections observed across each continent. Although the campaign targets cryptocurrency users, WithSecure has observed non-cryptocurrency-related organizations in Europe being infected by the malware due to cross-contamination introduced by personal browsing of victims on their corporate machines.

August 5, 2024

KeePass trojanised in advanced malware campaign

Don’t drop password managers (but password managers shouldn’t drop malware).

August 5, 2024

SAP NetWeaver CVE-2025-31324 Exploitation

WithSecure detected an attack that first began with the exploitation of CVE-2025-31324 in March 2025, suggesting that this vulnerability has been known to criminals and exploited for some time.

August 5, 2024

Leveraging EDR Behavioral Data for Zero-Day Vulnerability Discovery and Triage of Known Vulnerabilities

At WithSecure, we have the benefit of a comprehensive set of capabilities, allowing us to conduct research on how to better integrate our various services. One such topic has been the use of behavioral information provided by Endpoint Detection and Response (EDR) to detect potential privilege escalation vulnerabilities.

August 5, 2024

CrazyHunter: The Rising Threat of Open-Source Ransomware

A ransomware attack on the Mackay Memorial hospital in Taiwan is the latest example of a growing number of incidents revolving around publicly available, offensive tools and code that threat actors are utilizing. The ransomware encryptor used in this incident, dubbed “CrazyHunter”, was built using a ransomware builder called “Prince Ransomware” which was publicly available on GitHub. WithSecure has observed a growing number of actors employing this specific ransomware builder in ransomware attacks.

August 5, 2024

Cyber Threat Landscape – European Mid Market 2025

Tim West, WithSecure’s Director, Threat Intelligence & Outreach, takes a deep dive in to the cyber threat landscape of the European mid-market, in order to discover what we should expect over the course of this year and where the key battlegrounds will be fought in 2025.