LATEST THREAT INTELLIGENCE.
Water APT Multi-Stage Attack Uncovered
Description: A sophisticated multi-stage attack attributed to the Water Gamayun APT group has been analyzed. The attack begins with a compromised legitimate website redirecting to a lookalike domain, delivering a double-extension RAR payload disguised as a PDF. This payload exploits the MSC EvilTwin vulnerability (CVE-2025-26633) to inject code into mmc.exe, initiating a series of hidden PowerShell stages. The attack employs layered obfuscation, password-protected archives, and process-hiding techniques to evade detection. The campaign's attribution to Water Gamayun is based on their unique exploitation methods, signature obfuscation patterns, infrastructure design, and specific social engineering themes. The group's objectives include strategic intelligence gathering, credential theft, and long-term persistence through custom backdoors and information stealers.
Created at: 2025-11-26T00:43:16.879000
Updated at: 2025-12-26T00:03:48.113000
Russian RomCom Utilizing SocGholish to Deliver Mythic Agent to U.S. Companies Supporting Ukraine
Description: Arctic Wolf Labs identified a U.S.-based company targeted by the Russian-aligned threat group RomCom via SocGholish, operated by TA569. This marks the first observed instance of a RomCom payload being distributed through SocGholish. The attack chain involved compromising legitimate websites, using fake update lures to deliver malware, and executing malicious JavaScript on victim hosts. The targeted company had ties to Ukraine, aligning with RomCom's focus on entities supporting Ukraine. Evidence suggests Russia's GRU unit 29155 is leveraging SocGholish for targeting. The attack was thwarted by Arctic Wolf's Aurora Endpoint Defense, which detected and quarantined the RomCom loader upon delivery.
Created at: 2025-11-25T18:11:41.201000
Updated at: 2025-12-25T18:04:09.724000
ClickFix Gets Creative: Malware Buried in Images
Description: A multi-stage malware execution chain originating from a ClickFix lure has been discovered, leading to the delivery of infostealing malware like LummaC2 and Rhadamanthys. The campaign utilizes steganography to hide malicious code within PNG images. Two distinct ClickFix lures were observed: a standard 'Human Verification' and a convincing fake Windows Update screen. The execution chain involves mshta.exe, PowerShell, and .NET assemblies, ultimately extracting and injecting shellcode into target processes. The steganographic technique encodes malicious data directly into image pixel data, using specific color channels for payload reconstruction and decryption in memory. This sophisticated approach helps evade signature-based detection and complicates analysis.
Created at: 2025-11-24T21:10:01.793000
Updated at: 2025-12-24T21:03:40.540000
Evasive Panda APT poisons DNS requests to deliver MgBot
Description: The Evasive Panda APT group conducted highly-targeted campaigns from November 2022 to November 2024, employing adversary-in-the-middle attacks and DNS poisoning techniques. They developed a new loader that evades detection and uses hybrid encryption for victim-specific implants. The group utilized fake updaters for popular applications to deliver malware, including a multi-stage shellcode execution process. A secondary loader, disguised as a legitimate Windows library, was used to achieve stealthier loading. The attackers employed a custom hybrid encryption method combining DPAPI and RC5 to secure payloads. Victims were detected in Türkiye, China, and India, with some systems compromised for over a year. The campaign showcases the group's advanced capabilities and continuous improvement of tactics.
Created at: 2025-12-24T13:36:09.131000
Updated at: 2025-12-24T15:13:46.945000
Kimsuky's Ongoing Evolution of KimJongRAT and Expanding Threats
Description: This analysis examines the latest attack flow of the KimJongRAT variant, attributed to the North Korean threat actor Kimsuky. The malware has evolved to include both PE-based and PowerShell-based attack chains, which have been merged into a single workflow. The attackers use phishing emails for initial access, leveraging GitHub and Google Drive for malware distribution. The malware exfiltrates sensitive data including browser credentials, system information, and keystrokes. Additional activities by the same actor include credential theft through phishing sites and spear-phishing campaigns targeting South Korean users. The analysis provides evidence supporting the attribution to Kimsuky and highlights the ongoing development of variants and infrastructure, indicating successful attacks.
Created at: 2025-11-24T11:59:25.569000
Updated at: 2025-12-24T12:01:59.201000
Infrastructure of Interest: Medium Confidence Detection
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:39:42.586000
Updated at: 2025-12-24T10:43:12.023000
Infrastructure of Interest: Medium Confidence FastFlux
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous DNS patterns, behavioral analysis of rapid IP rotation, and cross-referenced intelligence from global sinkhole data and network telemetry. The IOCs included in this pulse are associated with Fastflux networks, characterized by constantly changing IP addresses and DNS records to evade detection while maintaining resilient malicious infrastructure for phishing, malware delivery, or C2 operations. Use this data to enhance DNS-based detection rules, identify flux parent domains, and disrupt threat actor network resilience. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:34:03.778000
Updated at: 2025-12-24T10:42:08.142000
Infrastructure of Interest: Medium Confidence InfoStealer
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with infostealer malware, designed to harvest sensitive data such as credentials, cookies, and financial information from compromised systems. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations involving data theft. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:31:55.617000
Updated at: 2025-12-24T10:42:07.497000
Webrat, disguised as exploits, is spreading via GitHub repositories
Description: A new malware campaign targeting security professionals and students has been uncovered. The threat actor behind Webrat is now disguising the backdoor as exploits and proof-of-concept code for high-profile vulnerabilities, distributing it through GitHub repositories. The malware, which previously spread via game cheats and cracked software, now aims to infect inexperienced security researchers. The campaign uses carefully prepared repositories with AI-generated vulnerability reports to build trust. The malicious files, when executed, disable Windows Defender, escalate privileges, and fetch the Webrat backdoor. This backdoor can steal data from various applications, perform keylogging, and access webcams and microphones. The attack serves as a reminder for cybersecurity professionals to exercise caution when handling potentially malicious files and to use isolated environments for analysis.
Created at: 2025-12-23T15:37:21.357000
Updated at: 2025-12-23T17:26:54.061000
2025 Holiday Scams: Docusign Phishing Meets Loan Spam
Description: During the holiday season, threat actors exploit overloaded inboxes and financial stress through two main patterns: Docusign-themed phishing for corporate credential harvesting and loan offer spam for personal data theft. The Docusign campaign uses spoofed emails with authentic-looking branding, redirecting through disposable hosting platforms to a credential harvesting page. The loan scams range from obvious 'Xmas loan' offers to sophisticated marketing-style emails, ultimately leading victims to a detailed identity theft questionnaire on christmasscheercash.com. Both scams utilize seasonal themes and mimic normal end-of-year workflows to increase effectiveness. Defensive measures include verifying sender domains, validating link destinations, and treating unsolicited loan offers as high risk.
Created at: 2025-12-23T15:09:12.814000
Updated at: 2025-12-23T17:24:43.553000
