LATEST THREAT INTELLIGENCE.
Endgame Harvesting: Inside ACRStealer's Modern Infrastructure
Description: ACRStealer, a sophisticated Malware as a Service, has evolved with enhanced evasion techniques and C2 communication strategies. It employs low-level syscalls and AFD for stealthy operations, bypassing user-mode hooks. The malware uses layered communication, establishing raw TCP connections followed by SSL/TLS over SSPI. ACRStealer's data-stealing capabilities are extensive, targeting browsers, Steam accounts, and performing victim fingerprinting. It can execute secondary payloads and capture screenshots. The malware shows an active infection pattern in countries like the USA, Mongolia, and Germany, communicating with specific IP addresses and domains. Recent developments indicate a shift to LummaStealer, suggesting ongoing threat actor activities targeting gaming platforms and social media.
Created at: 2026-03-17T10:55:52.495000
Updated at: 2026-03-17T11:15:41.436000
A Slopoly start to AI-enhanced ransomware attacks
Description: IBM X-Force discovered a likely AI-generated malware named 'Slopoly' used in a ransomware attack by the Hive0163 group. This marks the beginning of AI adoption among cybercrime groups, potentially transforming the threat landscape. Slopoly, while relatively unsophisticated, demonstrates how easily threat actors can use AI to develop new malware quickly. The attack involved ClickFix social engineering, NodeSnake malware, and InterlockRAT, culminating in the deployment of Interlock ransomware. This incident highlights the growing trend of AI-generated and AI-integrated malware, which could lead to more ephemeral and difficult-to-attribute attacks, challenging traditional threat intelligence methods.
Created at: 2026-03-17T10:59:31.921000
Updated at: 2026-03-17T11:14:09.800000
New backdoor targeting Ukrainian entities with possible links to Laundry Bear
Description: A new campaign targeting Ukrainian entities has been identified, attributed to actors linked to Russia. The campaign uses judicial and charity-themed lures to deploy a JavaScript-based backdoor called DRILLAPP, which runs through the Edge browser. This backdoor enables various actions including file manipulation, microphone access, and webcam capture. Two variants of the campaign have been observed, with the second variant introducing additional capabilities. The attackers utilize the browser's capabilities to evade detection and gain access to sensitive resources. The campaign shares tactics with a previously reported Laundry Bear operation, leading to a low-confidence attribution to this group.
Created at: 2026-03-17T11:01:38.621000
Updated at: 2026-03-17T11:12:46.340000
Hydra Saiga: Covert Espionage and Infiltration of Critical Utilities
Description: Hydra Saiga, a suspected Kazakhstani state-sponsored threat actor, has been actively targeting government, energy, and critical infrastructure in Central Asia, Europe, and the Middle East since 2021. The group is known for using Telegram Bot API for C2 communication and employing a mix of custom implants and 'Living off the Land' techniques. Their activities align closely with Kazakhstan's geopolitical interests, particularly in water and energy sectors. The group has compromised at least 34 organizations across 8 countries, with reconnaissance extending to over 200 additional targets globally. Hydra Saiga's operations demonstrate a clear focus on water infrastructure linked to major regional rivers and gas distribution systems, reflecting strategic intelligence collection efforts.
Created at: 2026-03-17T11:03:35.052000
Updated at: 2026-03-17T11:11:28.178000
Middle East Crisis Exploited by Fraudsters: Government Impersonation and Evacuation Scam Infrastructure Identified
Description: The ongoing Middle East crisis has given rise to opportunistic online fraudulent activities. Two main strands have been observed: confirmed government-impersonation fraud and suspicious evacuation-themed websites. Fraudsters are exploiting the confusion and urgency surrounding the crisis to launch phishing campaigns and create deceptive websites. A notable example includes an email impersonating UAE authorities, urging recipients to complete a mandatory emergency registration form. Additionally, several newly registered websites offering evacuation services from Dubai and the Gulf region have emerged, displaying characteristics commonly associated with scams. These sites use crisis-related domain names, employ urgent messaging, lack verifiable operator details, and often request unconventional payment methods. The situation highlights the need for increased vigilance and proactive monitoring of emerging digital threats during geopolitical crises.
Created at: 2026-03-11T11:10:32.339000
Updated at: 2026-03-17T10:52:47.638000
Boggy Serpens Threat Assessment
Description: The Iranian threat group Boggy Serpens, linked to the Ministry of Intelligence and Security, has refined its cyberespionage tactics to focus on trusted relationship compromises and multi-wave targeting of strategic organizations. The group combines social engineering with AI-enhanced malware for long-term persistence, primarily targeting diplomatic and critical infrastructure sectors. Recent campaigns show increased technological capabilities, including AI-generated code and Rust-based tools. Boggy Serpens exploits hijacked accounts to bypass security measures and employs a secondary social engineering prompt to deliver malware. The group's determination is exemplified by a sustained four-wave campaign against a UAE marine and energy company, demonstrating its focus on infiltrating regional maritime infrastructure.
Created at: 2026-03-17T09:13:38.496000
Updated at: 2026-03-17T10:20:07.229000
Hacked sites deliver Vidar infostealer to Windows users
Description: A recent cybercrime campaign uses compromised WordPress websites to distribute the Vidar infostealer malware to Windows users. The attack employs fake CAPTCHA pages that trick victims into running malicious commands. The infection chain involves an HTA script, which downloads and executes a malicious MSI installer. This installer then deploys a GoLang loader that ultimately decrypts and loads the Vidar infostealer into memory. The campaign targets users in multiple countries, including Italy, France, the United States, the United Kingdom, and Brazil. The attackers inject malicious code into WordPress sites, which filters visitors and displays the fake CAPTCHA page to Windows desktop users.
Created at: 2026-03-17T09:09:17.543000
Updated at: 2026-03-17T09:11:43.920000
IoCs (Indicators of Compromise) for the Coruna iOS iPhone Web Malware Client Side Exploits Serving Web Malware Exploitation Kit
Description: The intelligence details indicators of compromise for the Coruna iOS iPhone web malware exploitation kit. It provides MD5, SHA-1, and SHA-256 hashes for detected JavaScript payloads. The analysis lists numerous active domains serving the malware, including specific URLs delivering client-side exploits. The campaign involves a wide network of malicious domains and URLs targeting iOS devices. The extensive list of compromised and malicious infrastructure demonstrates the scale of this exploitation kit's operations, highlighting the ongoing threat to iPhone users through web-based attacks.
Created at: 2026-03-16T23:26:57.028000
Updated at: 2026-03-17T00:42:58.391000
Suspected China-Based Espionage Operation Against Military Targets in Southeast Asia
Description: A suspected Chinese state-sponsored espionage campaign targeting Southeast Asian military organizations has been identified, traced back to at least 2020. Designated as CL-STA-1087, the operation demonstrates strategic patience and focused intelligence collection on military capabilities and structures. The attackers deployed custom tools including the AppleChris and MemFun backdoors, and a modified Mimikatz variant called Getpass. The campaign is characterized by the use of dead drop resolvers, custom HTTP verbs, and anti-forensic techniques. Infrastructure analysis reveals long-term persistence and operational compartmentalization. The activity aligns with Chinese working hours and utilizes China-based cloud infrastructure, suggesting a Chinese nexus.
Created at: 2026-03-16T10:24:58.975000
Updated at: 2026-03-16T20:02:51.156000
Web Shells, Tunnels, and Ransomware: Dissecting a Warlock Attack
Description: The Warlock ransomware group has enhanced its attack chain with improved methods for persistence, lateral movement, and evasion. Their updated toolset includes TightVNC, Yuze, and a persistent BYOVD technique exploiting the NSec driver. The group's primary targets were technology, manufacturing, and government sectors, with the US, Germany, and Russia being the most affected countries. Warlock continues to exploit unpatched Microsoft SharePoint servers for initial access, and has expanded its post-exploitation toolkit. New additions include TightVNC for persistent remote access, Yuze for establishing SOCKS5 connections, and a BYOVD technique using the NSecKrnl.sys driver to terminate security products. The group also leverages Velociraptor, VS Code tunnels, and Cloudflare Tunnel for C&C communications.
Created at: 2026-03-16T11:01:03.022000
Updated at: 2026-03-16T18:44:16.233000
