LATEST THREAT INTELLIGENCE.
Dissecting UAT-8099: New persistence mechanisms and regional focus
Description: UAT-8099, a threat actor targeting vulnerable IIS servers across Asia, has launched a new campaign from late 2025 to early 2026. The group's tactics have evolved, focusing on Thailand and Vietnam, and employing web shells, PowerShell scripts, and the GotoHTTP tool for remote access. New variants of BadIIS malware now include region-specific features, with separate versions targeting Vietnam and Thailand. The actor has expanded their toolkit to include utilities for log removal, file protection, and anti-rootkit capabilities. They've also adapted their persistence methods, creating hidden user accounts and leveraging legitimate tools to evade detection. The campaign demonstrates significant operational overlaps with the WEBJACK campaign, including shared malware hashes, C2 infrastructure, and victimology.
Created at: 2026-01-29T17:20:34.042000
Updated at: 2026-02-09T21:41:54.376000
Cryptocurrency Sector Targeted with New Tooling and AI-Enabled Social Engineering
Description: North Korean threat actor UNC1069 has evolved its tactics to target the cryptocurrency and decentralized finance sectors. In a recent intrusion, they deployed seven unique malware families, including new tools SILENCELIFT, DEEPBREATH, and CHROMEPUSH, designed to capture host and victim data. The attack utilized social engineering involving a compromised Telegram account, fake Zoom meeting, and reported AI-generated video. UNC1069 has shifted from spear-phishing to targeting Web3 industry entities like centralized exchanges, software developers, and venture capital firms. The intrusion demonstrated sophisticated techniques to bypass macOS security features and harvest credentials, browser data, and cryptocurrency information. This marks a significant expansion in UNC1069's capabilities and highlights their focus on financial theft and fueling future social engineering campaigns.
Created at: 2026-02-09T19:29:20.975000
Updated at: 2026-02-09T20:26:12.333000
Technical Analysis of GuLoader Obfuscation Techniques
Description: GuLoader, a malware downloader active since 2019, primarily delivers RATs and information stealers. It employs sophisticated anti-analysis techniques, including polymorphic code for dynamic constant construction and complex exception-based control flow obfuscation. The malware has evolved to handle multiple exception types, making tracing its execution flow challenging. GuLoader uses dynamic hashing, encrypted strings, and stack-based string encryption to conceal critical information. It often hosts payloads on trusted cloud services to bypass reputation-based detection. The malware's consistent development and updating of anti-analysis techniques suggest it will remain a significant threat in the future.
Created at: 2026-02-09T19:07:10.863000
Updated at: 2026-02-09T20:18:39.892000
Investigation on the EmEditor Supply Chain Cyberattack
Description: A recent supply chain attack targeting EmEditor users has been uncovered, involving watering hole tactics. The investigation reveals multiple domains masquerading as EmEditor-related sites, all registered through NameSilo LLC in December 2025. The domains resolve to various IP addresses, with some changes observed in February 2026. Additional domains with similar patterns were discovered, along with peculiar HTTP header behavior. A potential early stage of the campaign was identified, sharing similar characteristics with the initial report. The attackers continued their activities even after exposure, utilizing PowerShell scripts and various domains for command and control purposes. The analysis provides a comprehensive list of indicators, including domain names, IP addresses, and file hashes associated with the attack.
Created at: 2026-02-09T14:52:16.312000
Updated at: 2026-02-09T20:16:16.247000
Yet Another Leak of China's Contractor-Driven Cyber-Espionage Ecosystem
Description: The Knownsec leak exposes a state-aligned Chinese cyber contractor deeply integrated with national security and intelligence operations. Internal documents reveal Knownsec's role in developing offensive cyber capabilities, large-scale reconnaissance systems, and data fusion platforms for public security bureaus and military clients. Key products include ZoomEye for global IP scanning, GhostX for exploitation, and Passive Radar for covert network mapping. The leak provides unprecedented insight into Knownsec's organizational structure, personnel, and strategic targeting of foreign critical infrastructure, particularly in Taiwan and other Asian countries. It demonstrates how commercial entities like Knownsec function as core components of China's cyber-espionage ecosystem, blending state objectives with industrial-scale development of intrusion and surveillance technologies.
Created at: 2026-01-10T13:29:36.119000
Updated at: 2026-02-09T13:05:03.614000
Knife Cutting the Edge: Disclosing a China-nexus gateway-monitoring AitM framework
Description: Cisco Talos uncovered 'DKnife', a sophisticated gateway-monitoring and adversary-in-the-middle (AitM) framework comprising seven Linux-based implants. Used since 2019, DKnife performs deep-packet inspection, traffic manipulation, and malware delivery via routers and edge devices. It targets various devices, including PCs, mobile devices, and IoT, delivering ShadowPad and DarkNimbus backdoors. The framework primarily targets Chinese-speaking users, with evidence suggesting China-nexus threat actors as operators. DKnife's capabilities include DNS hijacking, Android application update hijacking, Windows binary hijacking, anti-virus traffic disruption, and user activity monitoring. A link to the WizardNet campaign was also discovered, indicating a shared development or operational lineage.
Created at: 2026-02-05T20:16:27.292000
Updated at: 2026-02-09T12:15:04.704000
Danger Bulletin: Cyberattacks Against Ukraine and EU Countries Using CVE-2026-21509 Exploit
Description: UAC-0001 (APT28) has launched cyberattacks against Ukraine and EU countries exploiting the CVE-2026-21509 vulnerability in Microsoft Office products. The threat actor created malicious DOC files targeting government bodies and EU organizations. The attack chain involves WebDAV connections, COM hijacking, and the use of the COVENANT framework, which utilizes Filen cloud storage for command and control. The campaign began shortly after the vulnerability's disclosure, with multiple documents discovered containing similar exploits. The attackers employ sophisticated techniques to evade detection and maintain persistence, including disguising malicious files as legitimate Windows components and creating scheduled tasks.
Created at: 2026-02-04T14:15:57.152000
Updated at: 2026-02-09T12:07:44.149000
A security alert regarding APT-C-28 (ScarCruft) using MiradorShell to launch a cyberattack.
Description: A recent investigation reveals that the APT-C-28 (ScarCruft) group has expanded its targets to include the cryptocurrency industry. The group employs sophisticated phishing tactics, using LNK files disguised as PDFs to lure victims with investment proposals ranging from $1-3 million. Upon execution, a multi-stage payload deployment occurs, ultimately installing MiradorShell v2.0 to gain system control. The attack chain involves file downloads, decryption, and the creation of scheduled tasks for persistence. MiradorShell, an AutoIt-based backdoor, connects to a command and control server, offering reverse shell capabilities, file management, remote program execution, and victim fingerprinting. The malware employs various evasion techniques, including inline library files and direct API calls.
Created at: 2026-02-09T10:18:26.280000
Updated at: 2026-02-09T10:36:13.709000
Tenant from Hell: Prometei's Unauthorized Stay in Your Windows Server
Description: eSentire's Threat Response Unit detected Prometei botnet activity on a customer's Windows Server in the Construction industry. Prometei, a Russian-origin botnet active since 2016, features remote control, credential harvesting, crypto-mining, lateral movement, and C2 communication over clearweb and TOR. The malware uses complex encryption, including rolling XOR and RC4, for payload decryption and C2 communications. It establishes persistence as a Windows service, creates firewall exceptions, and downloads additional modules for specialized functions like credential theft and TOR routing. The attack likely began with compromised RDP credentials, followed by the execution of a malicious command to download and run the Prometei payload.
Created at: 2026-02-09T10:17:26.978000
Updated at: 2026-02-09T10:28:17.519000
Active Exploitation of SolarWinds Web Help Desk (CVE-2025-26399)
Description: Threat actors are actively exploiting a vulnerability in SolarWinds Web Help Desk, targeting organizations using versions prior to 12.8.7 HF1. The attack chain involves deploying Zoho ManageEngine RMM agents, Velociraptor for command and control, and Cloudflare tunnels for persistence. Attackers use encoded PowerShell commands, disable Windows Defender and Firewall, and implement a C2 failover mechanism. They also utilize Elastic Cloud for data exfiltration and QEMU for SSH backdoor persistence. The earliest known instance of this persistence mechanism was observed on January 16, 2026. Organizations are advised to update their SolarWinds Web Help Desk, restrict administrative interface access, reset credentials, and review hosts for unauthorized tools and suspicious activities.
Created at: 2026-02-09T06:01:02.461000
Updated at: 2026-02-09T09:39:04.120000
