LATEST THREAT INTELLIGENCE.
Supply chain attack: what you should know
Description: A supply chain attack targeted the eScan antivirus software, distributing malware through the update server. The attack, detected on January 20, involved a malicious Reload.exe file that initiated a multi-stage infection chain. This malware prevented further antivirus updates, ensured persistence through scheduled tasks, and communicated with control servers to download additional payloads. Attackers gained unauthorized access to a regional update server, deploying a malicious file with a fake digital signature. eScan developers quickly isolated the affected infrastructure and reset access credentials. Users are advised to check for infection signs, use a provided removal utility, and block known malware control server addresses. Kaspersky's security solutions successfully detect the malware used in this attack.
Created at: 2026-01-29T17:20:35.658000
Updated at: 2026-02-02T20:56:33.346000
Fake Dropbox Phishing Campaign via PDF and Cloud Storage
Description: A sophisticated phishing campaign has been detected that utilizes a multi-stage approach to evade detection. The attack begins with a procurement-themed email containing a PDF attachment. This PDF redirects victims to another PDF hosted on trusted cloud storage, which then leads to a fake Dropbox login page. The attackers exploit trusted platforms and harmless file formats to bypass security measures. The campaign uses social engineering tactics to harvest credentials, which are then exfiltrated to attacker-controlled infrastructure via Telegram. This method proves effective by leveraging legitimate business processes, trusted file types, and reputable cloud services to appear authentic and bypass automated security checks.
Created at: 2026-02-02T18:31:08.887000
Updated at: 2026-02-02T20:00:29.663000
Dissecting CrashFix: KongTuke's New Toy
Description: KongTuke, a threat actor tracked since 2025, has launched a new campaign using a malicious browser extension called NexShield that impersonates uBlock Origin Lite. The extension causes browser crashes and displays fake security warnings to trick users into executing malicious commands. The campaign targets both home and corporate users, with domain-joined machines receiving a more sophisticated Python-based RAT named ModeloRAT. The attack chain involves multiple stages of obfuscation, anti-analysis techniques, and a Domain Generation Algorithm (DGA) for C2 communication. KongTuke employs extensive fingerprinting to avoid detection in analysis environments. The campaign demonstrates evolving social engineering tactics and a focus on infiltrating enterprise networks for potential lateral movement and data exfiltration.
Created at: 2026-01-17T13:17:09.602000
Updated at: 2026-02-02T17:10:45.444000
Infrastructure of Interest: Medium Confidence Detection
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:39:42.586000
Updated at: 2026-02-02T11:41:33.760000
Infrastructure of Interest: Medium Confidence Command And Control
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with command and control (C2) infrastructure, facilitating malware communication, data exfiltration, and persistent threat actor operations. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:29:37.542000
Updated at: 2026-02-02T11:40:17.484000
MuddyWater: Snakes by the riverbank
Description: MuddyWater, an Iran-aligned cyberespionage group, has been targeting critical infrastructure in Israel and Egypt with custom malware and improved tactics. The campaign uses previously undocumented tools like the Fooder loader and MuddyViper backdoor to enhance defense evasion and persistence. Fooder masquerades as a Snake game and uses game-inspired techniques to hinder analysis. MuddyViper enables system information collection, file manipulation, and credential theft. The group also employs browser-data stealers and reverse tunneling tools. This campaign demonstrates MuddyWater's evolution towards more sophisticated and refined approaches, though traces of operational immaturity remain. The group continues to pose a significant threat, particularly to government, military, telecommunications, and critical infrastructure sectors in the Middle East.
Created at: 2026-01-03T11:05:58.696000
Updated at: 2026-02-02T11:02:09.057000
LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan
Description: ESET researchers have uncovered a new China-aligned APT group named LongNosedGoblin targeting governmental entities in Southeast Asia and Japan for cyberespionage. The group employs a varied custom toolset of C#/.NET applications and abuses Group Policy for lateral movement. Key tools include NosyHistorian for collecting browser history, NosyDoor backdoor using cloud services as C&C, and NosyStealer for exfiltrating browser data. The attackers also utilize techniques like AppDomainManager injection and AMSI bypassing. LongNosedGoblin has been active since at least September 2023, showing ongoing campaigns throughout 2024 and 2025. The research provides detailed analysis of the group's malware and tactics, including potential sharing of the NosyDoor backdoor among multiple China-aligned actors.
Created at: 2026-01-03T11:05:57.103000
Updated at: 2026-02-02T11:02:09.057000
Quick, You Need Assistance!
Description: A Microsoft Teams voice-phishing campaign leveraging Quick Assist, a remote administration tool, was tracked in September 2025. The campaign uses help desk scams to gain initial access, followed by user group enumeration and the execution of a PowerShell script to download a command and control payload. The attack employs AMSI bypass, encrypted communications, and a web-socket remote access trojan. Multiple Microsoft 365 tenants with IT-related subdomains were used, along with various IPs and domains for C2 infrastructure. The campaign shows similarities to Storm-1811 and PhantomCaptcha activities, suggesting a complex cybercrime ecosystem. The attackers' ultimate goal may be ransomware deployment, although observed attempts were successfully blocked.
Created at: 2026-02-02T10:52:24.545000
Updated at: 2026-02-02T10:58:05.600000
DynoWiper update: Technical analysis
Description: ESET researchers provide technical details on a recent data destruction incident affecting a Polish energy company. They identified new data-wiping malware named DynoWiper, attributed to the Russia-aligned threat group Sandworm with medium confidence. The tactics, techniques, and procedures observed during the DynoWiper incident resemble those seen earlier in an incident involving the ZOV wiper in Ukraine. Sandworm has a history of destructive cyberattacks, targeting various entities including energy providers. The DynoWiper samples focus on the IT environment, with no observed functionality targeting OT industrial components. The attackers deployed additional tools and attempted to use a SOCKS5 proxy. The incident represents a rare case of a Russia-aligned threat actor deploying destructive malware against an energy company in Poland.
Created at: 2026-01-30T18:42:13.717000
Updated at: 2026-02-02T10:46:48.879000
Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft
Description: Threat actors associated with ShinyHunters-branded extortion operations are expanding their tactics, targeting cloud-based SaaS applications for data theft and extortion. The attackers use sophisticated voice phishing and credential harvesting to gain initial access, then exfiltrate sensitive data from various platforms. They employ aggressive extortion tactics, including harassment and DDoS attacks. The activity involves multiple threat clusters (UNC6661, UNC6671, UNC6240) and targets a growing number of cloud platforms. The attackers leverage social engineering to bypass MFA and use tools like ToogleBox Recall to cover their tracks. This activity highlights the effectiveness of social engineering and the importance of phishing-resistant MFA methods.
Created at: 2026-01-31T08:41:02.930000
Updated at: 2026-02-02T10:43:23.359000
