LATEST THREAT INTELLIGENCE.
Targets high value telecommunications infrastructure in South Asia
Description: UAT-7290, a sophisticated threat actor active since 2022, is targeting critical infrastructure entities in South Asia, particularly telecommunications providers. The group's arsenal includes malware families like RushDrop, DriveSwitch, SilentRaid, and Bulbature. UAT-7290 conducts extensive reconnaissance before intrusions, using one-day exploits and SSH brute force to compromise edge devices. The actor is believed to be a China-nexus APT, sharing similarities with APT10 and other known Chinese threat groups. UAT-7290 has recently expanded its targeting to Southeastern Europe and may establish Operational Relay Boxes for other China-nexus actors. Their malware suite primarily focuses on Linux systems but can also utilize Windows-based implants.
Created at: 2026-01-08T16:30:51.268000
Updated at: 2026-01-08T17:04:41.374000
Deceptive Layoff-Themed HR Email Distributes Remcos RAT Malware
Description: A malicious email campaign exploits workforce anxieties by disguising itself as internal HR announcements about layoffs. The emails contain a RAR archive with a double-extension executable masquerading as a PDF document. Upon execution, the file deploys Remcos RAT, a remote access tool, which establishes persistence, collects system information, and prepares the infected host for remote access. The malware uses NSIS compilation to conceal its intent and creates configuration files and registry entries for victim identification and persistence. The campaign highlights the ongoing exploitation of current organizational trends by threat actors to gain initial access to targeted systems.
Created at: 2025-12-09T17:14:34.438000
Updated at: 2026-01-08T17:00:48.362000
React2Shell Deep Dive: CVE-2025-55182 Exploit Mechanics
Description: The critical Remote Code Execution vulnerability CVE-2025-55182, dubbed 'React2Shell', affects React Server Components (RSC) and extends beyond Next.js. Attackers are exploiting it for cloud-native initial access, credential harvesting, cryptomining, and deploying sophisticated backdoors. The vulnerability stems from improper input deserialization in RSC payloads, allowing arbitrary code execution. Exploitation has been observed across various cloud platforms, targeting containerized workloads. The exploit's mechanics involve crafting a malicious payload with self-referencing gadgets to bypass security checks during deserialization. Other frameworks using RSC, such as Waku and Vite, are also vulnerable. Urgent patching and comprehensive detection measures are crucial for affected systems.
Created at: 2025-12-09T17:08:13.495000
Updated at: 2026-01-08T17:00:48.362000
Infrastructure of Interest: Medium Confidence Detection
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:39:42.586000
Updated at: 2026-01-08T16:41:46.060000
Infrastructure of Interest: Medium Confidence Phishing
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with phishing campaigns, targeting credential theft and fraudulent resource access. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:20:01.253000
Updated at: 2026-01-08T16:41:31.244000
Deep Malware and Phishing Analysis - Breaking Down an Access-Code-Gated Malware Delivery Chain
Description: This analysis examines a sophisticated malware delivery chain that begins with a phishing email impersonating DocuSign. The attack employs multiple evasion techniques, including an access-code gate, time-based checks, and packing. The initial payload is a single-file .NET bundle with a valid code signing certificate. Static analysis revealed a second-stage native binary with additional obfuscation. The final payload is identified as Vidar malware. The investigation showcases the effectiveness of combining static and dynamic analysis tools to overcome advanced evasion tactics and reconstruct the full attack chain, from the initial phishing email to the final payload.
Created at: 2026-01-08T14:24:10.302000
Updated at: 2026-01-08T14:25:29.554000
Malicious NPM Packages Deliver NodeCordRAT
Description: Three malicious npm packages were discovered in November 2025, designed to deliver and install a new RAT malware family named NodeCordRAT. The packages, bitcoin-main-lib, bitcoin-lib-js, and bip40, mimicked legitimate Bitcoin-related libraries to deceive developers. NodeCordRAT uses Discord for command-and-control communication, targets Chrome credentials, sensitive secrets, and MetaMask data. It performs host fingerprinting, executes shell commands, captures screenshots, and exfiltrates data. The malware exploits software supply chain vulnerabilities, highlighting the importance of vigilance in package management. Although removed from npm, the incident serves as a reminder of ongoing threats in the software development ecosystem.
Created at: 2026-01-08T11:41:07.776000
Updated at: 2026-01-08T12:32:44.532000
BlueDelta Evolves Credential Harvesting
Description: Between February and September 2025, BlueDelta, a Russian state-sponsored threat group linked to the GRU, conducted multiple credential-harvesting campaigns. The group targeted individuals associated with energy research, defense cooperation, and government communication networks in Turkey, Europe, North Macedonia, and Uzbekistan. BlueDelta impersonated legitimate webmail and VPN services, using free hosting and tunneling services to host phishing content and capture user data. The campaigns incorporated PDF lures and customized JavaScript to increase authenticity and operational efficiency. This activity demonstrates BlueDelta's continued focus on low-cost, high-yield methods for collecting information supporting Russian intelligence objectives.
Created at: 2026-01-08T11:41:07.032000
Updated at: 2026-01-08T12:31:34.154000
Fake Browser Updates Targeting WordPress Administrators via Malicious Plugin
Description: A malicious WordPress plugin named 'Modern Recent Posts' has been discovered, targeting administrators with fake browser update pop-ups. The plugin injects malicious JavaScript from an external domain, only affecting logged-in administrators on Windows machines. The campaign uses social engineering tactics to trick users into downloading potential malware. The plugin includes persistence mechanisms and can self-update. This sophisticated attack demonstrates a focused approach on high-value targets, leveraging trust in security updates to compromise local machines. The malware's stealthy nature and targeted delivery system make it particularly dangerous for WordPress site owners.
Created at: 2026-01-08T11:41:04.376000
Updated at: 2026-01-08T12:25:54.282000
Sneeit WordPress RCE Exploited in the Wild While ICTBroadcast Bug Fuels Frost Botnet Attacks
Description: A critical remote code execution vulnerability (CVE-2025-6389) in the Sneeit Framework WordPress plugin is being actively exploited. The flaw allows unauthenticated attackers to execute code on the server, potentially creating malicious admin accounts or injecting backdoors. Wordfence has blocked over 131,000 attack attempts since November 24, 2025. Concurrently, a separate attack exploiting an ICTBroadcast vulnerability (CVE-2025-2611) is being used to spread the 'Frost' DDoS botnet. This botnet combines DDoS capabilities with spreader logic, including exploits for fifteen CVEs. The attacks appear to be part of a small, targeted operation, given the limited number of vulnerable internet-exposed systems.
Created at: 2025-12-09T12:50:07.844000
Updated at: 2026-01-08T12:00:22.571000
