LATEST THREAT INTELLIGENCE.
CountLoader: New Malware Loader Being Served in 3 Different Versions
Description: A new malware loader named CountLoader has been identified, strongly associated with Russian ransomware gangs. It comes in three versions: .NET, PowerShell, and JScript. The threat is believed to be part of an Initial Access Broker's toolset or used by a ransomware affiliate linked to LockBit, BlackBasta, and Qilin groups. CountLoader was recently employed in a phishing campaign targeting Ukrainian citizens, impersonating the Ukrainian police. The loader attempts to connect to multiple C2 servers, downloads and executes various malware payloads, and uses advanced techniques to evade detection. It has been observed dropping CobaltStrike and AdaptixC2, among other malicious tools. The malware's functionality includes system information gathering, persistence mechanisms, and multiple download methods.
Created at: 2025-09-19T08:57:24.237000
Updated at: 2025-10-19T10:01:53.290000
Deepens Its Playbook with New Websites and Targets
Description: CopyCop, a Russian covert influence network, has significantly expanded its operations since March 2025, creating over 300 new fictional media websites targeting various countries. The network, likely operated by John Mark Dougan with support from Russian entities, aims to undermine support for Ukraine and exacerbate political fragmentation in Western countries. CopyCop's tactics include using deepfakes, AI-generated content, and impersonating media outlets to spread pro-Russian narratives. The network has widened its target languages and geographical scope, now including Turkey, Ukraine, Swahili-speaking regions, Moldova, Canada, and Armenia. While its core objectives remain unchanged, CopyCop has made marginal improvements to increase its reach, resilience, and credibility, including the use of self-hosted large language models for content generation.
Created at: 2025-09-18T03:21:10.905000
Updated at: 2025-10-18T03:00:19.916000
Malicious PyPI Packages Deliver SilentSync RAT
Description: Two malicious Python packages, sisaws and secmeasure, were discovered in the Python Package Index (PyPI) repository. These packages, created by the same author, deliver a Remote Access Trojan (RAT) called SilentSync. The RAT is capable of remote command execution, file exfiltration, screen capturing, and web browser data theft. It targets Windows systems and communicates with a command-and-control server using HTTP. The packages employ typosquatting and imitate legitimate modules to deceive users. SilentSync achieves persistence through platform-specific techniques and supports various commands for data exfiltration and system control. This discovery highlights the growing risk of supply chain attacks within public software repositories.
Created at: 2025-09-18T01:15:37.717000
Updated at: 2025-10-18T01:03:47.610000
Infrastructure of Interest: Medium Confidence Detection
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:39:42.586000
Updated at: 2025-10-17T16:05:37.515000
Infrastructure of Interest: Medium Confidence InfoStealer
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with infostealer malware, designed to harvest sensitive data such as credentials, cookies, and financial information from compromised systems. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations involving data theft. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:31:55.617000
Updated at: 2025-10-17T16:05:05.095000
Infrastructure of Interest: Medium Confidence Command And Control
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with command and control (C2) infrastructure, facilitating malware communication, data exfiltration, and persistent threat actor operations. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:29:37.542000
Updated at: 2025-10-17T16:05:01.850000
Infrastructure of Interest: Medium Confidence Phishing
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with phishing campaigns, targeting credential theft and fraudulent resource access. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:20:01.253000
Updated at: 2025-10-17T16:04:59.364000
CAPI Backdoor: .NET Stealer Targeting Russian Auto-Commerce
Description: A spear-phishing campaign targeting the Russian Automobile-Commerce industry using a malicious.NET implant has been uncovered by Seqrite Labs Research Team and is now being investigated by the FBI.
Created at: 2025-10-17T15:59:18.678000
Updated at: 2025-10-17T15:59:18.678000
Hidden links: why your website traffic is declining
Description: The article discusses the issue of hidden links in websites, a Black Hat SEO technique used to manipulate search engine rankings. It explains how attackers inject invisible HTML blocks containing links to unrelated, often adult or gambling websites. These hidden links can harm a website's reputation, lower its search rankings, and potentially lead to legal issues. The article describes various methods attackers use to place these links, including exploiting vulnerabilities in content management systems and compromising administrator accounts. It also provides guidance on how to detect hidden links and protect websites from such attacks, emphasizing the importance of using licensed solutions, keeping software updated, and implementing strong security measures.
Created at: 2025-10-17T11:53:06.441000
Updated at: 2025-10-17T15:52:40.952000
Malicious package with AdaptixC2 framework agent found in npm registry
Description: A malicious package named 'https-proxy-utils' was discovered in the npm registry, posing as a utility for using proxies but containing a post-install script that downloads and executes the AdaptixC2 post-exploitation framework agent. The package mimicked popular legitimate packages and cloned functionality from another package. The script included payload delivery methods for Windows, Linux, and macOS, using specific techniques for each operating system. Once deployed, the AdaptixC2 agent provides remote access, command execution, and persistence capabilities. This incident highlights the growing trend of abusing open-source software ecosystems as an attack vector, following a similar high-profile incident involving the Shai-Hulud worm.
Created at: 2025-10-17T11:53:04.821000
Updated at: 2025-10-17T15:50:56.847000
