LATEST THREAT INTELLIGENCE.

Frontline Intelligence: Analysis of UNC1549 TTPs, Custom Tools, and Malware Targeting the Aerospace and Defense Ecosystem

Description: UNC1549, an Iranian-linked threat group, has been targeting aerospace, aviation, and defense industries since mid-2024. They employ sophisticated initial access techniques, including exploiting third-party relationships and targeted phishing. The group uses custom malware like TWOSTROKE, LIGHTRAIL, and DEEPROOT for persistence, and tools like DCSYNCER.SLICK and CRASHPAD for privilege escalation. UNC1549 demonstrates advanced lateral movement, reconnaissance, and defense evasion tactics. They extensively use SSH reverse tunnels and Azure infrastructure for command and control. The group's primary objective appears to be espionage, focusing on data collection and leveraging compromised organizations to target others in the same sector.

Created at: 2025-11-18T02:11:13.651000

Updated at: 2025-11-18T02:23:05.375000

Cat's Got Your Files: Lynx Ransomware

Description: A threat actor gained initial access to a network via RDP using compromised credentials, likely obtained through an infostealer, data breach, or initial access broker. They quickly moved laterally to a domain controller, created multiple impersonation accounts with high privileges, and installed AnyDesk for persistence. Over nine days, the actor conducted extensive network reconnaissance using SoftPerfect NetScan and NetExec, mapped virtualization infrastructure, and browsed file shares. They exfiltrated sensitive data from multiple shares using temp.sh. On the final day, the actor connected to backup servers, deleted backup jobs, and deployed Lynx ransomware across multiple servers. The intrusion lasted 178 hours and leveraged compromised domain admin credentials throughout.

Created at: 2025-11-17T18:13:18.402000

Updated at: 2025-11-18T02:14:57.298000

Infrastructure of Interest: Medium Confidence Detection

Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.

Created at: 2025-08-07T07:39:42.586000

Updated at: 2025-11-17T12:37:24.046000

How AI Is Fueling a New Wave of Black Friday Scams

Description: AI tools are enabling cybercriminals to create sophisticated Black Friday scams, including realistic phishing emails, cloned websites, and fake social media ads. Common tactics involve impersonating trusted brands like Amazon and Temu, offering unrealistic discounts on luxury goods, and exploiting shoppers' urgency. AI-enhanced scams are harder to detect, blending seamlessly with legitimate retail behavior. Key warning signs include suspicious sender addresses, unusual URLs, missing website information, and pressure tactics. To stay safe, shoppers should verify sender domains, inspect links, question dramatic discounts, use secure payment methods, and shop directly on official websites. Awareness and caution are crucial defenses against these evolving AI-powered threats during the holiday shopping season.

Created at: 2025-11-15T04:44:45.211000

Updated at: 2025-11-17T09:52:09.044000

A Closer Look at Outlook Macros and More

Description: The analysis examines NotDoor, a backdoor utilizing Outlook macros for persistence and lateral movement. It stages files in C:\ProgramData, employing DLL sideloading with OneDrive.exe. The malware creates directories, executes encoded PowerShell commands, and modifies registry entries to enable macros and disable security dialogs. Key tactics include using Outlook functions for C2 communication and email monitoring. The blog provides detection strategies, including monitoring for suspicious PowerShell commands, registry modifications, and creation of VbaProject.OTM files by non-Outlook processes. Splunk-based detection rules are offered to identify these malicious activities.

Created at: 2025-11-15T04:44:45.685000

Updated at: 2025-11-17T09:45:39.131000

Digital Doppelgangers: Anatomy of Evolving Impersonation Campaigns Distributing Gh0st RAT

Description: This report details two interconnected malware campaigns targeting Chinese-speaking users in 2025, using large-scale brand impersonation to deliver Gh0st RAT variants. The first campaign, active from February to March, mimicked three brands across over 2,000 domains. The second campaign, starting in May, impersonated over 40 applications with more sophisticated infection chains. Both campaigns used cloud infrastructure for payload delivery and DLL side-loading for evasion. The adversary demonstrated an evolving operational playbook, advancing from simple droppers to complex multi-stage infections. The campaigns' infrastructure remained active for months, indicating a persistent and well-resourced threat actor focused on Chinese-speaking targets globally.

Created at: 2025-11-15T05:58:39.960000

Updated at: 2025-11-17T09:26:39.714000

Tracking Malware and Attack Expansion: A Hacker Group's Journey across Asia

Description: FortiGuard Labs has traced a hacker group's evolving campaigns across Asia, starting with Winos 4.0 attacks in Taiwan and expanding to Japan and Malaysia. The group employs phishing emails with malicious PDFs and evolving malware delivery tactics. They've shifted from using cloud storage links to custom domains for malware distribution. The latest campaign in Malaysia uses a multi-stage attack flow, leveraging the Windows Task Scheduler for stealth. The malware, identified as HoldingHands, has been updated with new features, including the ability to update C2 IP addresses via registry entries. The attackers have demonstrated adaptability in their techniques while maintaining some consistent patterns, allowing researchers to link seemingly unrelated attacks.

Created at: 2025-10-17T18:11:19.756000

Updated at: 2025-11-16T18:02:41.412000

CAPI Backdoor: .NET Stealer Targeting Russian Auto-Commerce

Description: A spear-phishing campaign targeting the Russian Automobile-Commerce industry using a malicious.NET implant has been uncovered by Seqrite Labs Research Team and is now being investigated by the FBI.

Created at: 2025-10-17T15:59:18.678000

Updated at: 2025-11-16T15:02:53.735000

New Group on the Block: UNC5142 Leverages EtherHiding to Distribute Malware

Description: UNC5142, a financially motivated threat actor, has been tracked since late 2023 for abusing blockchain technology to distribute infostealers. The group exploits vulnerable WordPress sites and employs the 'EtherHiding' technique to obscure malicious code on the BNB Smart Chain. Their infection chain involves a multistage JavaScript downloader called CLEARSHORT, compromised WordPress sites, and smart contracts. UNC5142 has evolved its tactics, using a three-level smart contract system for dynamic payload delivery and abusing legitimate services like Cloudflare Pages. The group has distributed various infostealers, including ATOMIC, VIDAR, LUMMAC.V2, and RADTHIEF. Their operations have impacted multiple industries and geographic regions, with approximately 14,000 compromised web pages identified as of June 2025.

Created at: 2025-10-16T17:53:02.346000

Updated at: 2025-11-15T17:00:02.086000

Odyssey Stealer & AMOS Hit macOS Developers with Fake Homebrew Sites

Description: A sophisticated campaign targeting macOS developers has been uncovered, utilizing fake websites impersonating trusted platforms like Homebrew, TradingView, and LogMeIn to distribute Odyssey Stealer and AMOS malware. The attackers employ social engineering tactics, prompting users to paste base64-encoded commands in Terminal, which downloads malicious payloads. Over 85 phishing domains were identified, linked through shared SSL certificates and infrastructure. The campaign's infrastructure includes long-standing IP addresses showing multi-year activity. The malware attempts privilege escalation, performs anti-analysis checks, and disrupts backup services. This coordinated operation demonstrates the attackers' ability to adapt tactics and maintain persistence in the macOS ecosystem.

Created at: 2025-10-16T17:53:01.412000

Updated at: 2025-11-15T17:00:02.086000