LATEST THREAT INTELLIGENCE.
Infrastructure of Interest: Medium Confidence InfoStealer
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with infostealer malware, designed to harvest sensitive data such as credentials, cookies, and financial information from compromised systems. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations involving data theft. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:31:55.617000
Updated at: 2026-02-26T16:56:20.309000
Infrastructure of Interest: Medium Confidence Command And Control
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with command and control (C2) infrastructure, facilitating malware communication, data exfiltration, and persistent threat actor operations. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:29:37.542000
Updated at: 2026-02-26T13:14:54.184000
Infrastructure of Interest: Medium Confidence Phishing
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with phishing campaigns, targeting credential theft and fraudulent resource access. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:20:01.253000
Updated at: 2026-02-26T13:14:52.404000
Disrupting the GRIDTIDE Global Cyber Espionage Campaign
Description: A global espionage campaign targeting telecommunications and government organizations across four continents has been disrupted. The threat actor, UNC2814, is suspected to be linked to China and has been active since 2017. The campaign utilized a sophisticated backdoor called GRIDTIDE, which leveraged Google Sheets API for command and control. The attackers compromised 53 victims in 42 countries, with suspected infections in 20 more. GRIDTIDE's capabilities include executing shell commands, file transfers, and evading detection by disguising traffic as legitimate cloud API requests. The disruption involved terminating attacker-controlled cloud projects, disabling infrastructure, and revoking API access.
Created at: 2026-02-26T11:04:20.880000
Updated at: 2026-02-26T12:50:19.410000
CoolClient backdoor updated, new data stealing tools used
Description: The HoneyMyte APT group has enhanced its toolset with an updated CoolClient backdoor and new data stealing capabilities. The group targeted government entities in Asia and Europe, particularly Southeast Asia. CoolClient now features clipboard monitoring, HTTP proxy credential sniffing, and plugin support for extended functionality. HoneyMyte also deployed browser login data stealers and document theft scripts. The campaign's focus has shifted towards active surveillance, including keylogging, clipboard data collection, and proxy credential harvesting. Organizations are advised to remain vigilant against HoneyMyte's evolving toolkit, which includes CoolClient, PlugX, ToneShell, Qreverse, and LuminousMoth malware families.
Created at: 2026-01-27T11:49:30.682000
Updated at: 2026-02-26T11:03:39.915000
A Versatile Script Framework for LOLBins Exploitation Used by China-aligned Threat Groups
Description: PeckBirdy is a sophisticated JScript-based C&C framework employed by China-aligned APT groups since 2023. It exploits LOLBins across multiple environments to deliver advanced backdoors, targeting gambling industries and Asian government entities. The framework's versatility allows it to be used in various attack stages, from watering-hole control to lateral movement and C&C operations. Two campaigns, SHADOW-VOID-044 and SHADOW-EARTH-045, demonstrate coordinated threat group activity using PeckBirdy. The framework is complemented by two modular backdoors, HOLODONUT and MKDOOR, which extend its attack capabilities. PeckBirdy's design enables flexible deployment and execution across different environments, including browsers, MSHTA, WScript, Classic ASP, Node JS, and .NET.
Created at: 2026-01-26T20:30:56.423000
Updated at: 2026-02-26T07:03:45.621000
Unmasking Agent Tesla: A Deep Dive into a Multi-Stage Campaign
Description: This analysis examines a sophisticated multi-stage infection chain utilizing Agent Tesla malware. The attack begins with a phishing email containing a RAR file, which includes an obfuscated JSE file. This initial stage triggers a series of script-based evasions, leading to the download and decryption of a PowerShell script. The malware then employs process hollowing to inject its payload into a legitimate Windows process, evading detection. Before exfiltrating data, the malware performs anti-analysis checks to avoid security software and virtual environments. Finally, Agent Tesla harvests sensitive information, including browser cookies and contacts, exfiltrating the data via SMTP to a command-and-control server.
Created at: 2026-02-25T20:01:58.886000
Updated at: 2026-02-25T20:31:27.786000
Chrome Extensions: Are you getting more than you bargained for?
Description: This analysis reveals the hidden dangers of certain Chrome extensions available on the Google Chrome Web Store. Despite the store's vetting process, some malicious extensions have slipped through, compromising user security. The study examines four examples of extensions with combined user bases exceeding 100,000, showcasing various security risks. These include undisclosed clipboard access to remote domains, data exfiltration, remote code execution capabilities, search hijacking, and cross-site scripting vulnerabilities. The extensions employ tactics such as command-and-control infrastructure with domain generation algorithms, user tracking, and brand impersonation. The research emphasizes the importance of caution when installing browser extensions, even from trusted sources, and recommends immediate uninstallation of the identified malicious extensions.
Created at: 2026-01-26T15:40:31.078000
Updated at: 2026-02-25T15:02:40.499000
Malware MoonPeak Executed via LNK Files
Description: In January 2026, IIJ observed malicious LNK files targeting Korean users to execute the MoonPeak malware, attributed to North Korean threat actors. The infection chain begins with a LNK file that runs an obfuscated PowerShell script, which checks for analysis environments, creates additional scripts, and sets up persistence. The second stage downloads and executes a payload from GitHub, which is actually the MoonPeak malware. MoonPeak is obfuscated using ConfuserEx and communicates with a C2 server. The campaign utilizes GitHub for hosting malware, a technique known as Living Off Trusted Sites (LOTS). This attack demonstrates the ongoing threat posed by North Korean actors targeting various countries and individuals worldwide.
Created at: 2026-01-26T14:28:48.027000
Updated at: 2026-02-25T14:02:21.153000
Inside the Fix: Analysis of In-the-Wild Exploit of CVE-2026-21513
Description: This analysis examines CVE-2026-21513, a security bypass vulnerability in Microsoft's MSHTML framework, patched in February 2026. The flaw, actively exploited by Russian state-sponsored actor APT28, affects all Windows versions and has a CVSS score of 8.8. Using PatchDiff-AI, researchers identified the root cause in ieframe.dll's hyperlink navigation handling, allowing arbitrary file execution outside the browser's security context. The exploit involves a crafted Windows Shortcut file embedding HTML, communicating with APT28-linked infrastructure. It bypasses security measures like Mark of the Web and IE Enhanced Security Configuration through nested iframes and DOM manipulation, ultimately invoking ShellExecuteExW for out-of-sandbox execution.
Created at: 2026-02-25T11:46:21.970000
Updated at: 2026-02-25T11:50:33.555000
