LATEST THREAT INTELLIGENCE.
EmEditor Homepage Download Button Served Malware for 4 Days
Description: Between December 19-22, 2025, EmEditor's official website suffered a security breach, causing the main download button to serve malicious software. The fake installer, signed by WALSHAM INVESTMENTS LIMITED, contained infostealer malware targeting login credentials, browser history, and VPN settings. It specifically targeted technical staff and government offices, stealing files and installing a fraudulent browser extension for remote control and cryptocurrency address swapping. Users who downloaded during this period are advised to check the digital signature, delete suspicious files, and change stored passwords. Emurasoft is investigating the incident and has apologized for the inconvenience.
Created at: 2025-12-30T16:57:33.593000
Updated at: 2025-12-30T17:08:48.843000
RondoDoX Botnet Weaponizes React2Shell
Description: A persistent nine-month RondoDoX botnet campaign has been targeting IoT devices and web applications. The threat actors have recently shifted to weaponizing a critical Next.js vulnerability, deploying malicious payloads like 'React2Shell' and cryptominers. The campaign, spanning from March to December 2025, shows quick adaptation to latest attack trends. The activity is divided into three phases: initial reconnaissance, web application exploitation, and IoT botnet deployment. The attackers have been using multiple command and control servers and deploying various malware variants. The campaign has intensified in December 2025 with a focus on Next.js exploitation. The impact includes widespread IoT device compromise, Next.js application risks, credential harvesting, and persistent multi-architecture threats.
Created at: 2025-12-29T19:53:02.379000
Updated at: 2025-12-29T21:25:40.343000
The HoneyMyte APT now protects malware with a kernel-mode rootkit
Description: In mid-2025, a malicious driver file was discovered on Asian computer systems, signed with a compromised digital certificate. This driver injects a backdoor Trojan and protects malicious files, processes, and registry keys. The final payload is a new variant of the ToneShell backdoor, associated with the HoneyMyte APT group. The attacks, which began in February 2025, primarily target government organizations in Southeast and East Asia, especially Myanmar and Thailand. The malware uses various techniques to evade detection, including API obfuscation, process protection, and registry key protection. The ToneShell backdoor communicates with command-and-control servers using fake TLS headers and supports remote operations such as file transfer and shell access.
Created at: 2025-12-29T13:22:26.696000
Updated at: 2025-12-29T13:50:47.832000
New Tomiris tools and techniques: multiple reverse shells, Havoc, AdaptixC2
Description: Kaspersky researchers uncovered new malicious operations by the Tomiris threat actor targeting foreign ministries, intergovernmental organizations, and government entities. The attacks, which began in early 2025, show a shift in tactics with increased use of implants leveraging public services like Telegram and Discord as command-and-control servers. The group employs various programming languages including Go, Rust, C/C#/C++, and Python to develop reverse shell tools. Some infections lead to the deployment of open-source post-exploitation frameworks such as Havoc and AdaptixC2. The campaign primarily focuses on Russian-speaking users and entities, with additional targets in Central Asian countries.
Created at: 2025-11-28T08:31:24.854000
Updated at: 2025-12-28T08:01:08.411000
Dragons in Thunder
Description: This report details the activities of two hacker groups, QuietCrabs and Thor, targeting Russian companies. QuietCrabs exploited RCE vulnerabilities in Microsoft SharePoint and Ivanti Endpoint Manager Mobile, using KrustyLoader and Sliver malware. Thor employed more common tools and techniques, attacking around 110 Russian companies across various sectors. Both groups utilized recent vulnerabilities, with QuietCrabs acting within hours of exploit publications. The report highlights the groups' tactics, tools, and targeted industries, emphasizing the need for robust cybersecurity measures to counter such sophisticated attacks.
Created at: 2025-11-28T07:33:13.437000
Updated at: 2025-12-28T08:01:08.411000
The Mystery OAST Host Behind a Regionally Focused Exploit Operation
Description: A long-running, attacker-operated OAST service on Google Cloud has been observed driving a focused exploit operation. The actor combines stock Nuclei templates with custom payloads to expand their reach. All observed activity targeted canaries deployed in Brazil, indicating a deliberate regional focus. The operation involves roughly 1,400 exploit attempts spanning more than 200 CVEs. The attacker uses a private OAST domain, detectors-testing.com, which has been active for at least a year. The infrastructure is hosted on US-based Google Cloud, providing practical benefits for the attacker. The actor demonstrates willingness to modify common exploit components, as evidenced by a custom Fastjson payload. This sustained scanning effort suggests a more structured operation than typical exploit spraying.
Created at: 2025-11-28T02:45:43.478000
Updated at: 2025-12-28T08:01:08.411000
Analysis of the Lumma infostealer
Description: The Lumma infostealer is a sophisticated malware distributed as Malware-as-a-Service, targeting Windows systems. It primarily steals sensitive data such as browser credentials, cryptocurrency wallets, and VPN/RDP accounts. Lumma is often used in the initial stages of multi-vector attacks, including ransomware and network breaches. The malware is distributed through phishing sites, disguised as pirated software, and uses complex techniques like NSIS packaging, AutoIt scripts, and process hollowing to evade detection. To combat this threat, organizations should implement behavior-based detection systems and integrate threat intelligence into their security strategies.
Created at: 2025-11-27T18:43:56.824000
Updated at: 2025-12-27T18:01:22.463000
ShadowV2 Casts a Shadow Over IoT Devices
Description: A new Mirai variant called ShadowV2 has been observed spreading through IoT vulnerabilities during a global AWS disruption. The malware targeted multiple countries and industries worldwide, exploiting vulnerabilities in devices from vendors like DD-WRT, D-Link, Digiever, TBK, and TP-Link. ShadowV2 is designed for IoT devices and uses a XOR-encoded configuration to connect to a C2 server for receiving DDoS attack commands. The malware supports various attack methods, including UDP floods, TCP-based floods, and HTTP-level floods. This incident highlights the ongoing vulnerability of IoT devices and the need for timely firmware updates, robust security practices, and continuous threat monitoring.
Created at: 2025-11-27T07:37:54.726000
Updated at: 2025-12-27T08:05:27.053000
How NTLM is being abused in 2025 cyberattacks
Description: NTLM, a legacy authentication protocol, remains prevalent in Windows environments despite known vulnerabilities. Threat actors continue to exploit both old and newly discovered flaws in NTLM for credential theft, privilege escalation, and lateral movement. Recent vulnerabilities like CVE-2024-43451, CVE-2025-24054, and CVE-2025-33073 have been actively exploited in various campaigns. Attacks involve hash leakage, coercion-based techniques, credential forwarding, and man-in-the-middle approaches. Threat groups like BlindEagle and Head Mare have leveraged these vulnerabilities to distribute malware and target specific regions. To mitigate risks, organizations are advised to disable or limit NTLM usage, implement message signing, enable Extended Protection for Authentication, and monitor NTLM traffic closely.
Created at: 2025-11-26T14:09:22.317000
Updated at: 2025-12-26T14:01:03.043000
Infrastructure of Interest: Medium Confidence Detection
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:39:42.586000
Updated at: 2025-12-26T10:02:37.438000
