LATEST THREAT INTELLIGENCE.
Inside MacSync's Script-Driven Stealer and Hardware Wallet App Trojanization
Description: MacSync is a sophisticated macOS infostealer that targets cryptocurrency users. It is delivered through a phishing lure disguised as a cloud storage installer, tricking users into executing a malicious Terminal command. The malware employs a multi-stage infection process, using a script-based approach to harvest browser credentials, cryptocurrency wallet data, and sensitive files. A key feature of MacSync is its ability to trojanize popular Electron-based cryptocurrency applications like Ledger and Trezor, enabling long-term phishing and data exfiltration. The malware's infrastructure includes multiple rotating C2 domains and clone sites, indicating an ongoing and evolving campaign. MacSync's focus on cryptocurrency-related data and its stealthy, script-based execution make it particularly dangerous for macOS users in the crypto community.
Created at: 2026-01-21T18:46:01.968000
Updated at: 2026-01-22T14:43:35.660000
Analysis of HEURRemoteAdmin.GoToResolve.gen
Description: A comprehensive analysis of a Potentially Unwanted Application (PUA) identified as HEURRemoteAdmin.GoToResolve.gen reveals its association with the GoTo Resolve Unattended Access application. While digitally signed by GoTo Technologies USA, LLC, the sample exhibits behaviors typical of PUAs, including silent installation, background thread execution, and persistent presence on the system. The application's use of the Restart Manager library, often seen in ransomware and wiper malware, raises concerns. Although no direct malicious payload was observed, the remote access capabilities present a significant security risk, potentially allowing unauthorized system control or deployment of secondary malware. The sample's detection by UltraAV further supports its classification as a security threat, warranting removal unless explicitly authorized and managed within organizational security policies.
Created at: 2026-01-22T00:39:39.003000
Updated at: 2026-01-22T11:08:09.532000
Malicious Configuration Changes Observed On Fortinet FortiGate Devices via SSO Accounts
Description: A new cluster of automated malicious activity involving unauthorized firewall configuration changes on FortiGate devices has been observed. The activity includes creation of generic accounts for persistence, configuration changes granting VPN access, and exfiltration of firewall configurations. The campaign bears similarities to a previous one described in December 2025, involving SSO login activity for administrator accounts. While the initial access details are not fully confirmed, it may be related to previously disclosed SSO vulnerabilities (CVE-2025-59718 and CVE-2025-59719). The malicious activity involves SSO logins from specific hosting providers, followed by configuration exports and creation of secondary accounts for persistence. The events occur within seconds, suggesting automated activity.
Created at: 2026-01-22T00:39:37.387000
Updated at: 2026-01-22T11:06:14.929000
Trial, Error, and Typos: Why Some Malware Attacks Aren't as 'Sophisticated' as You Think
Description: This analysis challenges the notion that cyber threat actors are always sophisticated and organized. Through examining three incidents, it reveals that attackers often make mistakes, face obstacles, and adapt their tactics based on trial and error. The incidents showcase how threat actors struggled with Windows Defender, mistyped commands, and failed to start malicious services. Despite using similar tactics and infrastructure across attacks, the perpetrators had to refine their methods in response to setbacks. The study emphasizes that understanding these roadblocks and attacker reactions provides valuable insights for improving cybersecurity defenses.
Created at: 2025-12-23T01:59:50.982000
Updated at: 2026-01-22T01:03:47.699000
Threat Actors Expand Abuse of Microsoft Visual Studio Code
Description: North Korean threat actors have evolved their techniques in the Contagious Interview campaign, now abusing Microsoft Visual Studio Code task configuration files. The infection chain begins when a victim opens a malicious Git repository, often disguised as part of a recruitment process. If trust is granted, arbitrary commands are executed on the system. The malware uses JavaScript payloads hosted on vercel.app to implement backdoor logic, including remote code execution, system fingerprinting, and persistent command-and-control communication. The backdoor collects host information and beacons to a C2 server every five seconds. Recent observations show further execution of similar payloads, indicating ongoing development of these tactics.
Created at: 2026-01-21T12:38:22.046000
Updated at: 2026-01-21T23:09:42.700000
PurpleBravo’s Targeting of the IT Software Supply Chain
Description: PurpleBravo, a North Korean state-sponsored threat group, targets software developers through fake recruitment efforts, particularly in cryptocurrency and software development sectors. Their toolkit includes BeaverTail, PyLangGhost, and GolangGhost, designed for stealing browser credentials and cryptocurrency information. The group has affected 3,136 IP addresses, mainly in South Asia and North America, compromising 20 organizations across various industries. PurpleBravo's tactics include using fictitious personas, malicious GitHub repositories, and sophisticated malware to infiltrate IT services companies, posing a significant supply-chain risk. The group shows overlap with PurpleDelta, another North Korean threat actor, sharing infrastructure and operational patterns. PurpleBravo's focus on the IT sector in South Asia presents an overlooked threat to organizations outsourcing IT services.
Created at: 2026-01-21T22:26:37.394000
Updated at: 2026-01-21T23:04:00.261000
EtherRAT Targeting Windows Disguised as a Game Mod Installer
Description: A Windows variant of EtherRAT, a JavaScript-based malware, has been discovered disguised as game mod installers. The malware uses MSI files to create and execute obfuscated scripts that decrypt and run the main payload. EtherRAT retrieves its Command and Control (C2) server addresses dynamically through Ethereum smart contracts, employing anti-analysis techniques and establishing persistence via Registry Run keys. The malware's infrastructure has been linked to the Tsundere Botnet, sharing C2 servers and smart contract similarities. Analysis revealed multiple contract addresses and wallet addresses associated with the attacker, indicating an expanding and evolving operation targeting both Windows and Linux systems.
Created at: 2026-01-21T12:36:18.399000
Updated at: 2026-01-21T23:00:27.717000
Detailed Analysis of LockBit 5.0
Description: LockBit, originating as ABCD ransomware in 2019, has evolved to version 5.0 in September 2025. After a period of inactivity, it resumed operations in December 2025 with a reduced affiliate sign-up fee. LockBit 5.0, nicknamed ChoungDong, consists of a Loader and Ransomware component. The Loader decrypts and executes the payload in memory, while the Ransomware uses ChaCha20 and Curve25519 for encryption. This update significantly enhances evasion techniques and attack efficiency, introducing features like Mutex, Execution Delay, and Wiper. The group's history includes affiliation with the Maze cartel, independent operations, and continuous upgrades. Mitigation strategies involve monitoring process behavior, applying security patches, and preparing for swift responses using provided IoCs and MITRE ATT&CK techniques.
Created at: 2026-01-21T10:03:04.048000
Updated at: 2026-01-21T22:56:37.288000
Infrastructure of Interest: Medium Confidence Detection
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:39:42.586000
Updated at: 2026-01-21T18:26:10.350000
Infrastructure of Interest: Medium Confidence FastFlux
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous DNS patterns, behavioral analysis of rapid IP rotation, and cross-referenced intelligence from global sinkhole data and network telemetry. The IOCs included in this pulse are associated with Fastflux networks, characterized by constantly changing IP addresses and DNS records to evade detection while maintaining resilient malicious infrastructure for phishing, malware delivery, or C2 operations. Use this data to enhance DNS-based detection rules, identify flux parent domains, and disrupt threat actor network resilience. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:34:03.778000
Updated at: 2026-01-21T18:25:09.376000
