LATEST THREAT INTELLIGENCE.
Disrupting the GRIDTIDE Global Cyber Espionage Campaign
Description: A global espionage campaign targeting telecommunications and government organizations across four continents has been disrupted. The threat actor, UNC2814, is suspected to be linked to China and has been active since 2017. The campaign utilized a sophisticated backdoor called GRIDTIDE, which leveraged Google Sheets API for command and control. The attackers compromised 53 victims in 42 countries, with suspected infections in 20 more. GRIDTIDE's capabilities include executing shell commands, file transfers, and evading detection by disguising traffic as legitimate cloud API requests. The disruption involved terminating attacker-controlled cloud projects, disabling infrastructure, and revoking API access.
Created at: 2026-02-26T11:04:20.880000
Updated at: 2026-03-02T12:56:47.759000
Abusing Windows File Explorer and WebDAV for Malware Delivery
Description: This analysis details how threat actors are exploiting Windows File Explorer's WebDAV functionality to deliver malware. WebDAV, a legacy protocol, is being used to trick users into downloading malicious files without going through web browsers, potentially bypassing security controls. Campaigns often use complex chains of scripts and legitimate files to deliver Remote Access Trojans (RATs). The tactic has been observed since February 2024, with increased activity from September 2024. Threat actors frequently abuse Cloudflare Tunnel demo accounts to host WebDAV servers. The report explains WebDAV links, how File Explorer can be manipulated, and various methods used by attackers, including URL shortcut files and LNK files. It also highlights the prevalence of German and English language campaigns targeting European corporate email accounts.
Created at: 2026-03-01T05:26:45.129000
Updated at: 2026-03-02T11:48:03.780000
PlugX Meeting Invitation via MSBuild and GDATA
Description: A recent PlugX campaign utilized phishing emails with a 'Meeting Invitation' lure to deploy malware through DLL side-loading. The infection chain begins with a zip file containing a malicious .csproj file and MSBuild executable. The .csproj file downloads three components: a legitimate G DATA Antivirus executable, a malicious Avk.dll (PlugX variant), and an encrypted AVKTray.dat file. The malware uses DLL side-loading, API hashing, and XOR encryption for obfuscation. It establishes persistence via the Run registry key and communicates with a command and control server. The campaign showcases PlugX's continued evolution while maintaining its core characteristics, highlighting its ongoing relevance in cyber-espionage operations.
Created at: 2026-03-01T05:26:46.420000
Updated at: 2026-03-02T11:46:24.357000
Fake Zoom meeting 'update' silently installs unauthorized version of monitoring tool abused by cybercriminals to spy on victims
Description: A sophisticated scam campaign is targeting users with a fake Zoom meeting website that automatically downloads and installs an unauthorized version of Teramind, a legitimate workforce monitoring solution. The attackers create a convincing imitation of a Zoom video call, complete with fake participants and audio, to lure victims. After a short delay, an 'Update Available' prompt appears, leading to the silent installation of the monitoring software. The altered Teramind installer is configured to run stealthily and avoid detection by security tools. This campaign is particularly dangerous as it misuses legitimate commercial software, making it difficult for traditional antivirus tools to detect. The attackers gain full surveillance capabilities over the victim's device, including keylogging, screen capture, and file monitoring.
Created at: 2026-03-01T05:26:47.025000
Updated at: 2026-03-02T11:42:36.148000
ShadowV2 Casts a Shadow Over IoT Devices
Description: A new Mirai variant called ShadowV2 has been observed spreading through IoT vulnerabilities during a global AWS disruption. The malware targeted multiple countries and industries worldwide, exploiting vulnerabilities in devices from vendors like DD-WRT, D-Link, Digiever, TBK, and TP-Link. ShadowV2 is designed for IoT devices and uses a XOR-encoded configuration to connect to a C2 server for receiving DDoS attack commands. The malware supports various attack methods, including UDP floods, TCP-based floods, and HTTP-level floods. This incident highlights the ongoing vulnerability of IoT devices and the need for timely firmware updates, robust security practices, and continuous threat monitoring.
Created at: 2025-11-27T07:37:54.726000
Updated at: 2026-03-02T09:21:16.875000
Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft
Description: Threat actors associated with ShinyHunters-branded extortion operations are expanding their tactics, targeting cloud-based SaaS applications for data theft and extortion. The attackers use sophisticated voice phishing and credential harvesting to gain initial access, then exfiltrate sensitive data from various platforms. They employ aggressive extortion tactics, including harassment and DDoS attacks. The activity involves multiple threat clusters (UNC6661, UNC6671, UNC6240) and targets a growing number of cloud platforms. The attackers leverage social engineering to bypass MFA and use tools like ToogleBox Recall to cover their tracks. This activity highlights the effectiveness of social engineering and the importance of phishing-resistant MFA methods.
Created at: 2026-01-31T08:41:02.930000
Updated at: 2026-03-02T08:03:54.313000
DynoWiper update: Technical analysis
Description: ESET researchers provide technical details on a recent data destruction incident affecting a Polish energy company. They identified new data-wiping malware named DynoWiper, attributed to the Russia-aligned threat group Sandworm with medium confidence. The tactics, techniques, and procedures observed during the DynoWiper incident resemble those seen earlier in an incident involving the ZOV wiper in Ukraine. Sandworm has a history of destructive cyberattacks, targeting various entities including energy providers. The DynoWiper samples focus on the IT environment, with no observed functionality targeting OT industrial components. The attackers deployed additional tools and attempted to use a SOCKS5 proxy. The incident represents a rare case of a Russia-aligned threat actor deploying destructive malware against an energy company in Poland.
Created at: 2026-01-30T18:42:13.717000
Updated at: 2026-03-01T18:00:46.183000
Threat Intelligence Dossier: TOXICSNAKE
Description: A multi-domain traffic distribution system (TDS) operation was discovered, centered around the domain toxicsnake-wifes.com. The infrastructure serves as a commodity cybercrime TDS farm, routing victims to phishing, scams, or malware payloads. The operation uses a first-stage JavaScript loader, followed by a second-stage that attempts to fetch upstream payloads. The cluster shares common WHOIS, DNS, and hosting patterns, indicative of bulletproof VPS usage. Multiple burner domains with similar tradecraft were identified, suggesting an organized operator cluster. The infrastructure employs obfuscation, dynamic remote injection, and disposable registration techniques. While the main payload was unreachable during analysis, historical evidence suggests the delivery of malicious content.
Created at: 2026-01-30T08:44:03.925000
Updated at: 2026-03-01T08:03:12.270000
Interlock Ransomware: New Techniques, Same Old Tricks
Description: The Interlock ransomware group continues to target organizations worldwide, particularly in the UK and US education sector. Unlike other ransomware groups, Interlock operates independently, developing and using their own malware. This article details a recent intrusion, highlighting the group's ability to adapt techniques and tooling. The attack involved multiple stages, including initial access via MintLoader, use of custom malware like NodeSnakeRAT and InterlockRAT, and deployment of a novel process-killing tool exploiting a zero-day vulnerability. The adversaries used various techniques for persistence, lateral movement, and data exfiltration before ultimately deploying ransomware. The intrusion demonstrates the importance of threat hunting and integrating threat intelligence to identify compromises before significant impact occurs.
Created at: 2026-01-30T08:23:45.232000
Updated at: 2026-03-01T08:03:12.270000
Meet IClickFix: a widespread framework using the ClickFix tactic
Description: IClickFix is a malicious framework that compromises WordPress sites to distribute malware using the ClickFix social engineering tactic. Active since December 2024, it has infected over 3,800 WordPress sites globally. The framework injects malicious JavaScript into compromised sites, leading users through a fake CAPTCHA challenge that tricks them into executing malicious code. This ultimately installs NetSupport RAT, granting attackers full control of infected systems. The campaign has evolved over time, adding traffic distribution systems and refining its lures. While initially distributing Emmenhtal Loader and XFiles Stealer, it now primarily delivers NetSupport RAT. The widespread nature of the attacks suggests opportunistic exploitation rather than targeted campaigns.
Created at: 2026-01-30T08:20:09.209000
Updated at: 2026-03-01T08:03:12.270000
