LATEST THREAT INTELLIGENCE.
Chrome Extensions: Are you getting more than you bargained for?
Description: This analysis reveals the hidden dangers of certain Chrome extensions available on the Google Chrome Web Store. Despite the store's vetting process, some malicious extensions have slipped through, compromising user security. The study examines four examples of extensions with combined user bases exceeding 100,000, showcasing various security risks. These include undisclosed clipboard access to remote domains, data exfiltration, remote code execution capabilities, search hijacking, and cross-site scripting vulnerabilities. The extensions employ tactics such as command-and-control infrastructure with domain generation algorithms, user tracking, and brand impersonation. The research emphasizes the importance of caution when installing browser extensions, even from trusted sources, and recommends immediate uninstallation of the identified malicious extensions.
Created at: 2026-01-26T15:40:31.078000
Updated at: 2026-01-26T18:03:19.079000
Malware MoonPeak Executed via LNK Files
Description: In January 2026, IIJ observed malicious LNK files targeting Korean users to execute the MoonPeak malware, attributed to North Korean threat actors. The infection chain begins with a LNK file that runs an obfuscated PowerShell script, which checks for analysis environments, creates additional scripts, and sets up persistence. The second stage downloads and executes a payload from GitHub, which is actually the MoonPeak malware. MoonPeak is obfuscated using ConfuserEx and communicates with a C2 server. The campaign utilizes GitHub for hosting malware, a technique known as Living Off Trusted Sites (LOTS). This attack demonstrates the ongoing threat posed by North Korean actors targeting various countries and individuals worldwide.
Created at: 2026-01-26T14:28:48.027000
Updated at: 2026-01-26T17:36:15.302000
Infrastructure of Interest: Medium Confidence Detection
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:39:42.586000
Updated at: 2026-01-26T15:17:34.526000
Infrastructure of Interest: Medium Confidence Command And Control
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with command and control (C2) infrastructure, facilitating malware communication, data exfiltration, and persistent threat actor operations. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:29:37.542000
Updated at: 2026-01-26T15:16:37.921000
Infrastructure of Interest: Medium Confidence Phishing
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with phishing campaigns, targeting credential theft and fraudulent resource access. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:20:01.253000
Updated at: 2026-01-26T15:16:35.539000
A $6,000 Russian Malware Toolkit with Chrome Web Store Guarantee
Description: A new malware-as-a-service toolkit called 'Stanley' is being sold on Russian cybercrime forums for $2,000 to $6,000. It provides a turnkey website-spoofing operation disguised as a Chrome extension, with the premium tier promising guaranteed publication on the Chrome Web Store. The toolkit allows full-page website spoofing, element injection, push notifications, and backup domain rotation. It uses victims' IP addresses for tracking and implements a persistent polling mechanism to communicate with the command and control server. The malware's core attack involves website spoofing via iframe overlay, allowing attackers to harvest credentials while displaying legitimate URLs in the browser's address bar.
Created at: 2026-01-26T08:52:20.218000
Updated at: 2026-01-26T09:18:10.937000
MacSync Stealer Returns: SEO Poisoning and Fake GitHub Repositories Target macOS Users
Description: An active infostealer campaign is targeting macOS and Windows users across various sectors. The threat actors are using SEO poisoning to direct victims to fake GitHub repositories impersonating legitimate tools like PagerDuty. The campaign involves over 20 malicious repositories active since September 2025. The attack flow begins with a Google search, leading to a fraudulent GitHub repository, then to a GitHub Pages site with a deceptive command. This command deploys the MacSync stealer in three stages: a loader, a dropper, and the final payload. MacSync aggressively harvests credentials from browsers, cloud services, and cryptocurrency wallets. The campaign's scale includes 39 identified malicious repositories, with 24 still active as of January 2026. Evasion tactics include using 'readme-only' repositories and distributed identities.
Created at: 2026-01-26T08:54:01.725000
Updated at: 2026-01-26T09:16:21.175000
Sandworm behind cyberattack on Poland's power grid in late 2025
Description: In late 2025, Poland's energy system was targeted by a major cyberattack, now attributed to the Russia-aligned APT group Sandworm by ESET Research. The attack involved data-wiping malware named DynoWiper, detected as Win32/KillFiles.NMO. While the full impact is still under investigation, researchers noted the attack's timing coincided with the 10th anniversary of Sandworm's 2015 attack on Ukraine's power grid. Sandworm continues to target critical infrastructure, particularly in Ukraine, with regular wiper attacks. The group's history of disruptive cyberattacks and the similarities in tactics, techniques, and procedures led to a medium-confidence attribution of this latest incident to Sandworm.
Created at: 2026-01-23T22:47:09.688000
Updated at: 2026-01-23T22:57:59.767000
Watering Hole Attack Targets EmEditor Users With Information-Stealing Malware
Description: A compromised EmEditor installer was used in a software supply chain attack to deliver multistage malware. The attack, discovered in late December 2025, targeted users of this widely-used text editor. The malware performs credential theft, data exfiltration, and enables lateral movement. It uses obfuscated PowerShell scripts and geofencing techniques, suggesting possible Russian origin. The malware disables security features, gathers system information, and exfiltrates data to a command-and-control server. This incident highlights the importance of validating installer integrity, monitoring PowerShell usage, preserving endpoint telemetry, and enforcing least privilege principles. Software publishers are advised to secure download infrastructure and prepare incident response plans.
Created at: 2026-01-23T11:47:40.016000
Updated at: 2026-01-23T22:53:38.943000
Silver Fox Targeting India Using Tax Themed Phishing Lures
Description: A sophisticated campaign by the Chinese APT group Silver Fox is targeting Indian entities with authentic-looking Income Tax phishing lures. The attack leverages a complex kill chain involving DLL hijacking and the modular Valley RAT to ensure persistence. The campaign uses a multi-stage infection process, starting with a malicious email containing a PDF decoy. The payload is delivered through an NSIS installer, which drops a legitimate Thunder.exe binary and a malicious libexpat.dll for DLL hijacking. The final stage involves the Valley RAT, which uses a two-stage configuration loading mechanism and implements a 3-tier C2 communication loop. The RAT's modular plugin architecture allows for dynamic capability extension and persistence through registry-based storage.
Created at: 2025-12-24T21:10:40.201000
Updated at: 2026-01-23T21:04:49.672000
