LATEST THREAT INTELLIGENCE.
Sneeit WordPress RCE Exploited in the Wild While ICTBroadcast Bug Fuels Frost Botnet Attacks
Description: A critical remote code execution vulnerability (CVE-2025-6389) in the Sneeit Framework WordPress plugin is being actively exploited. The flaw allows unauthenticated attackers to execute code on the server, potentially creating malicious admin accounts or injecting backdoors. Wordfence has blocked over 131,000 attack attempts since November 24, 2025. Concurrently, a separate attack exploiting an ICTBroadcast vulnerability (CVE-2025-2611) is being used to spread the 'Frost' DDoS botnet. This botnet combines DDoS capabilities with spreader logic, including exploits for fifteen CVEs. The attacks appear to be part of a small, targeted operation, given the limited number of vulnerable internet-exposed systems.
Created at: 2025-12-09T12:50:07.844000
Updated at: 2025-12-09T12:51:16.808000
Sharpening the knife: strategic evolution of GOLD BLADE
Description: GOLD BLADE, a threat group previously focused on cyberespionage, has evolved into a hybrid operation combining data theft with selective ransomware deployment. The group has refined its intrusion methods, shifting from traditional phishing to abusing recruitment platforms for delivering weaponized resumes. Their operations follow cycles of dormancy and sudden activity bursts, introducing new tradecraft in each wave. GOLD BLADE has modified its RedLoader infection chain multiple times, implemented a Bring Your Own Vulnerable Driver approach, and developed a custom ransomware called QWCrypt. The group's targeting has narrowed to focus primarily on Canadian organizations across various sectors. Their sophisticated tactics and continual refinement demonstrate a level of operational maturity uncommon among financially motivated actors.
Created at: 2025-12-06T07:31:57.447000
Updated at: 2025-12-09T12:48:36.469000
How Lazarus's IT Workers Scheme Was Caught Live on Camera
Description: This report details an investigation into a North Korean infiltration operation by the Lazarus Group's Famous Chollima division. The operation aims to deploy remote IT workers in American financial and crypto/Web3 companies for corporate espionage and funding. Researchers posed as potential recruits and used sandboxed environments to monitor the operators' activities in real-time. The investigation revealed the group's tactics, including identity theft, social engineering, and the use of AI tools. The operators displayed poor operational security, sharing infrastructure and making repeated mistakes. The report provides insights into the group's recruitment methods, toolset, and communication patterns, offering a rare inside view of their operations.
Created at: 2025-12-09T12:38:10.382000
Updated at: 2025-12-09T12:43:20.570000
AI-Automated Threat Hunting Brings GhostPenguin Out of the Shadows
Description: An undocumented Linux backdoor called GhostPenguin was discovered using AI-driven threat hunting. This multi-threaded C++ malware provides remote shell access and file system operations over an encrypted UDP channel. It uses a structured handshake mechanism and synchronizes threads for registration, heartbeat signaling, and command delivery. The discovery involved analyzing zero-detection Linux samples from VirusTotal, extracting artifacts, and using AI for automated profiling. Custom YARA rules and queries helped surface this evasive threat. Analysis revealed GhostPenguin is still in development, with debug artifacts present. The malware's comprehensive capabilities include remote shell access, file manipulation, and directory operations.
Created at: 2025-12-08T16:35:09.029000
Updated at: 2025-12-09T12:35:22.047000
Critical React2Shell Vulnerability Under Active Exploitation by Chinese Threat Actors
Description: A critical vulnerability dubbed 'React2Shell' (CVE-2025-55182) in React Server Components is being actively exploited by Chinese threat actors. The flaw affects multiple versions and packages, allowing arbitrary code execution through crafted HTTP requests. Approximately 39% of scanned cloud environments contain vulnerable React instances, with exploitation attempts showing a near 100% success rate. The vulnerability impacts popular frameworks and libraries bundling react-server. Chinese state-sponsored groups, including Earth Lamia and Jackpot Panda, are reportedly involved in the attacks. Organizations are urged to identify vulnerable assets, apply patches immediately, and block malicious IP addresses associated with exploitation attempts.
Created at: 2025-12-08T17:25:04.500000
Updated at: 2025-12-09T12:33:51.828000
LummaStealer dropped via fake updates from itch.io and Patreon
Description: A malicious campaign targeting indie game platforms like Itch.io and Patreon has been discovered. Attackers are using newly created accounts to spam comments on legitimate games, claiming to offer game updates through Patreon links. These links lead to downloads containing LummaStealer malware. The malware uses multiple anti-analysis techniques, including checks for virtual machines, specific usernames, and processes associated with malware analysis. The payload is delivered through a nexe-compiled JavaScript file, which drops and loads a DLL containing the LummaStealer variant. Despite efforts to remove malicious accounts, new ones continue to appear, indicating an ongoing campaign.
Created at: 2025-12-08T17:25:04.908000
Updated at: 2025-12-09T12:32:48.157000
Campaign uses ClickFix page to push NetSupport RAT
Description: The SmartApeSG campaign, also known as ZPHP or HANEYMANEY, has evolved from using fake browser update pages to employing ClickFix-style fake CAPTCHA pages. This campaign distributes malicious NetSupport RAT packages as its initial infection vector. The attack chain begins with an injected script on compromised websites, which, under certain conditions, displays a fake CAPTCHA page. When users interact with this page, malicious content is injected into the Windows clipboard, prompting users to paste and execute it. This leads to the download and installation of NetSupport RAT, which maintains persistence through a Start Menu shortcut. The campaign frequently changes domains, packages, and C2 servers to evade detection.
Created at: 2025-12-08T17:41:04.344000
Updated at: 2025-12-09T12:31:32.376000
CastleLoader Activity Clusters Target Multiple Industries
Description: Insikt Group has identified four distinct activity clusters associated with GrayBravo's CastleLoader malware, each with unique tactics and victim profiles. This supports the assessment that GrayBravo operates a malware-as-a-service model. One cluster, TAG-160, impersonates logistics firms and uses phishing lures with the ClickFix technique to distribute CastleLoader. Another cluster, TAG-161, impersonates Booking.com and employs similar techniques. The analysis also uncovered potential links to the online persona "Sparja" and the broader cybercriminal ecosystem. GrayBravo demonstrates rapid evolution, technical sophistication, and adaptability in response to public exposure. The report recommends various security measures to defend against these threats.
Created at: 2025-12-09T05:39:34.614000
Updated at: 2025-12-09T12:29:36.690000
Operation FrostBeacon: Multi-Cluster Cobalt Strike Campaign Targets Russia
Description: Operation FrostBeacon is a targeted malware campaign delivering Cobalt Strike beacons to companies in Russia. It uses two infection clusters: one leveraging malicious archive files with LNK shortcuts, and another exploiting CVE-2017-0199 and CVE-2017-11882 vulnerabilities. Both clusters lead to remote HTA execution and deployment of an obfuscated PowerShell loader that decrypts and runs Cobalt Strike shellcode in memory. The campaign targets finance and legal departments of B2B enterprises in logistics, industrial production, construction, and technical supply. It employs phishing emails with Russian-language lures related to contracts, payments, and legal matters. The infrastructure uses multiple Russian-controlled domains as command-and-control servers.
Created at: 2025-12-08T17:25:05.465000
Updated at: 2025-12-09T10:47:12.991000
From primitive crypto theft to sophisticated AI-based deception
Description: The North Korea-aligned threat actor DeceptiveDevelopment employs social engineering tactics to target software developers, especially those in cryptocurrency and Web3 projects. They use fake job offers and trojanized code challenges to deliver malware like BeaverTail and InvisibleFerret. The group has evolved to include more sophisticated tools like TsunamiKit and AkdoorTea. There are connections between DeceptiveDevelopment and North Korean IT worker fraud campaigns, with both groups collaborating and sharing information. The IT workers use AI-generated fake identities and employ proxy interviewers to secure remote jobs, posing risks to employers. This hybrid threat combines traditional fraud with cybercrime, blurring the lines between targeted APT activity and cybercrime.
Created at: 2025-11-09T04:31:57.088000
Updated at: 2025-12-09T04:03:59.992000
