LATEST THREAT INTELLIGENCE.
UNC1069 Targets Cryptocurrency Sector with New Tooling and AI-Enabled Social Engineering
Description: North Korean threat actor UNC1069 has evolved its tactics to target the cryptocurrency and decentralized finance sectors. In a recent intrusion, they deployed seven unique malware families, including new tools SILENCELIFT, DEEPBREATH, and CHROMEPUSH, designed to capture host and victim data. The attack utilized social engineering involving a compromised Telegram account, fake Zoom meeting, and reported AI-generated video. UNC1069 has shifted from spear-phishing to targeting Web3 industry entities like centralized exchanges, software developers, and venture capital firms. The intrusion demonstrated sophisticated techniques to bypass macOS security features and harvest credentials, browser data, and cryptocurrency information. This marks a significant expansion in UNC1069's capabilities and highlights their focus on financial theft and fueling future social engineering campaigns.
Created at: 2026-02-09T19:29:20.975000
Updated at: 2026-02-12T14:41:53.254000
Infrastructure of Interest: Medium Confidence InfoStealer
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with infostealer malware, designed to harvest sensitive data such as credentials, cookies, and financial information from compromised systems. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations involving data theft. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:31:55.617000
Updated at: 2026-02-12T14:19:12.987000
Nation-State Actors Exploit Notepad++ Supply Chain
Description: Between June and December 2025, state-sponsored threat group Lotus Blossom compromised the hosting infrastructure for Notepad++, allowing them to intercept and redirect update traffic. This enabled selective targeting of users primarily in Southeast Asian government, telecommunications and critical infrastructure sectors. Two infection chains were identified - one using Lua script injection to deliver Cobalt Strike and another using DLL side-loading for a Chrysalis backdoor. The campaign affected additional sectors across South America, US, Europe and Southeast Asia including cloud hosting, energy, financial, government, manufacturing and software development. The attack exploited insufficient verification in older versions of the Notepad++ updater to serve malicious installers to targeted victims.
Created at: 2026-02-12T01:20:03.195000
Updated at: 2026-02-12T09:33:55.958000
Fake 7-Zip downloads are turning home PCs into proxy nodes
Description: A convincing lookalike of the popular 7-Zip archiver site has been serving a trojanized installer that silently converts victims' machines into residential proxy nodes. The fake site, 7zip[.]com, distributes a functional copy of 7-Zip alongside concealed malware. The malware deploys three components: Uphero.exe (service manager), hero.exe (proxy payload), and hero.dll (supporting library). It establishes persistence through Windows services, manipulates firewall rules, and profiles the host system. The primary function is to enroll infected hosts as residential proxy nodes, allowing third parties to route traffic through victims' IP addresses. This campaign appears to be part of a broader operation with similar tactics used for other fake installers. The malware incorporates multiple evasion techniques and uses encrypted communications.
Created at: 2026-02-12T09:29:41.485000
Updated at: 2026-02-12T09:31:45.727000
The game is over: when “free” comes at too high a price. What we know about RenEngine
Description: A widespread campaign is distributing the RenEngine loader malware disguised as pirated games and software. The loader uses a modified Ren'Py game engine to deliver payloads like Lumma and ACR stealers. It employs sophisticated techniques including sandbox evasion, process injection, and modular design. The infection chain involves decrypting and launching malicious code through legitimate applications. RenEngine has affected users globally, with Russia, Brazil, Turkey, Spain and Germany most impacted. The campaign highlights risks of pirated software and the need for robust security measures.
Created at: 2026-02-11T16:29:19.424000
Updated at: 2026-02-11T21:46:24.463000
Analyzing a Multi-Stage AsyncRAT Campaign via Managed Detection and Response
Description: Threat actors exploited Cloudflare's free-tier infrastructure and Python environments to deploy AsyncRAT, demonstrating advanced evasion techniques. The attack begins with phishing emails containing Dropbox links to malicious files. It uses legitimate Python downloads and sophisticated code injection targeting explorer.exe. The campaign ensures persistence through multiple vectors, including startup folder scripts and WebDAV mounting. It abuses trusted infrastructure like Cloudflare to mask activities and evade detection. The attackers employ social engineering tactics, such as displaying legitimate PDF documents, to reduce suspicion. This campaign highlights the trend of abusing cloud services for malware delivery and execution, emphasizing the need for multi-layered security approaches.
Created at: 2026-01-12T20:30:28.074000
Updated at: 2026-02-11T20:03:02.761000
Infrastructure of Interest: Medium Confidence FastFlux
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous DNS patterns, behavioral analysis of rapid IP rotation, and cross-referenced intelligence from global sinkhole data and network telemetry. The IOCs included in this pulse are associated with Fastflux networks, characterized by constantly changing IP addresses and DNS records to evade detection while maintaining resilient malicious infrastructure for phishing, malware delivery, or C2 operations. Use this data to enhance DNS-based detection rules, identify flux parent domains, and disrupt threat actor network resilience. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:34:03.778000
Updated at: 2026-02-11T14:18:48.482000
A Peek Into Muddled Libra's Operational Playbook
Description: Unit 42 discovered a rogue virtual machine used by the cybercrime group Muddled Libra during an incident response investigation. The VM provided insights into the group's operational methods, including reconnaissance, tool downloads, persistence establishment, certificate theft, and interactions with the target's infrastructure. Muddled Libra created the VM after gaining unauthorized access to the target's VMware vSphere environment. The group's tactics involve minimal malware use, preferring to leverage the target's assets. Their attack chain included creating a VM, downloading tools, establishing C2, using stolen certificates, and attempting data exfiltration. The article details the group's activities, tools used, and troubleshooting efforts during the attack.
Created at: 2026-02-11T03:22:16.986000
Updated at: 2026-02-11T10:50:00.339000
Deep Dive into New XWorm Campaign Utilizing Multiple-Themed Phishing Emails
Description: A sophisticated phishing campaign delivering XWorm RAT has been identified. The attack chain begins with themed emails containing malicious Excel attachments exploiting CVE-2018-0802. When opened, the file downloads an HTA file, which executes PowerShell code to retrieve a fileless .NET module. This module then uses process hollowing to inject the XWorm payload into Msbuild.exe. XWorm 7.2 employs encrypted C2 communication and offers extensive features through plugins, including system control, data theft, DDoS capabilities, and ransomware functionality. The analysis reveals XWorm's modular architecture and advanced evasion techniques, highlighting it as a significant threat.
Created at: 2026-02-10T18:02:35.699000
Updated at: 2026-02-11T10:47:16.548000
AI/LLM-Generated Malware Used to Exploit React2Shell
Description: Darktrace identified an AI-generated malware sample exploiting the React2Shell vulnerability in its honeypot environment. The incident demonstrates how LLM-assisted development enables low-skill attackers to rapidly create effective exploitation tools. The attack chain involved spawning a container named 'python-metrics-collector' on an exposed Docker daemon, downloading and executing a Python script, and deploying a XMRig crypto miner. The malware sample featured thorough code documentation and lacked typical obfuscation, indicating AI generation. This highlights the growing trend of AI-enabled cyber threats that are now operational and accessible to anyone, posing new challenges for defenders.
Created at: 2026-02-10T17:46:07.573000
Updated at: 2026-02-11T09:50:07.275000
