LATEST THREAT INTELLIGENCE.
Kimsuky Distributing Malicious Mobile App via QR Code
Description: A new campaign by Kimsuky involves distributing malicious mobile apps through QR codes and phishing websites. The apps, masquerading as delivery services, VPNs, and cryptocurrency tools, decrypt an embedded APK to deploy a RAT with extensive capabilities. The malware uses a native decryption function and diverse decoy behaviors. Infrastructure overlaps and Korean language comments link this activity to Kimsuky. The threat actor employs sophisticated phishing techniques and leverages QR codes to redirect victims to malicious downloads. The malware requests extensive permissions and implements keylogging, audio recording, and data exfiltration. Multiple C&C servers were identified, some hosting Naver and Kakao phishing sites.
Created at: 2025-12-16T14:57:28.142000
Updated at: 2026-01-15T14:02:33.805000
Infrastructure of Interest: Medium Confidence Detection
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:39:42.586000
Updated at: 2026-01-15T12:58:12.475000
Infrastructure of Interest: Medium Confidence Phishing
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with phishing campaigns, targeting credential theft and fraudulent resource access. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:20:01.253000
Updated at: 2026-01-15T12:57:56.933000
Sicarii Ransomware: Truth vs Myth
Description: A new RaaS operation called Sicarii emerged in late 2025, claiming Israeli/Jewish affiliation. The group uses Hebrew language, historical symbols, and right-wing ideological references in its branding. However, underground activity is primarily conducted in Russian, and the Hebrew content appears non-native. The ransomware's technical capabilities include data exfiltration, credential collection, and file encryption. It performs geo-fencing to avoid Israeli systems. The group's behavior and messaging diverge from typical ransomware practices, raising questions about its true identity and motives. Linguistic analysis and operational patterns suggest the claimed Israeli identity may be performative rather than genuine.
Created at: 2026-01-15T11:45:54.226000
Updated at: 2026-01-15T12:13:39.180000
Inside RedVDS: How a single virtual desktop provider fueled worldwide cybercriminal operations
Description: RedVDS, a virtual dedicated server provider, has been utilized by multiple financially motivated threat actors for business email compromise, phishing, account takeover, and financial fraud. The service offers inexpensive Windows-based RDP servers with full administrator control, attracting cybercriminals worldwide. Microsoft's investigation revealed a global network targeting multiple sectors across various countries. RedVDS uses a single, cloned Windows host image, leaving unique technical fingerprints. The service operates through cryptocurrency payments and supports various digital currencies. Microsoft's analysis uncovered the infrastructure, provisioning methods, and tools deployed on RedVDS hosts, including mass mailers, email harvesters, privacy tools, and automation scripts.
Created at: 2026-01-14T19:24:49.171000
Updated at: 2026-01-15T11:29:18.168000
Investigating the Infrastructure Behind DDoSia's Attacks
Description: DDoSia, a participatory DDoS tool created by Russian hacktivists in 2022, is operated by the pro-Russian group NoName057(16). It relies on volunteers to contribute network resources for attacks, primarily targeting Ukraine, European allies, and NATO states. Censys has monitored DDoSia since mid-2025, observing an average of 6 control servers with short lifespans. The tool uses a multi-layered control infrastructure, with systems typically hosted on VPS providers. Despite law enforcement disruption in July 2025, DDoSia quickly reconstituted and resumed operations. The infrastructure is characterized by rapid changes, with most servers active for less than 24 hours. Attacks focus on government, military, transportation, public utilities, financial, and tourism sectors.
Created at: 2025-12-16T09:50:20.175000
Updated at: 2026-01-15T09:03:59.529000
Malicious SSO Logins Observed Following Disclosure of CVE-2025-59718 and CVE-2025-59719
Description: On December 12, 2025, intrusions involving malicious SSO logins on FortiGate appliances were observed. These attacks followed Fortinet's disclosure of two critical authentication bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719) on December 9. The vulnerabilities allow unauthenticated bypass of SSO login authentication via crafted SAML messages when FortiCloud SSO is enabled. Affected products include FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. Malicious logins originated from specific hosting providers, targeting admin accounts. Configuration exports to the same IP addresses were also noted. Recommendations include resetting firewall credentials, limiting management interface access, upgrading to fixed versions, and disabling FortiCloud login if immediate upgrade is not possible.
Created at: 2025-12-15T21:41:56.659000
Updated at: 2026-01-14T21:05:02.119000
Defending against the CVE-2025-55182 (React2Shell) vulnerability in React Server Components
Description: CVE-2025-55182, also known as React2Shell, is a critical pre-authentication remote code execution vulnerability affecting React Server Components and related frameworks. With a CVSS score of 10.0, it allows attackers to execute arbitrary code on vulnerable servers through a single malicious HTTP request. Exploitation has been detected since December 5, 2025, primarily in red team assessments but also in real-world attacks delivering coin miners. The vulnerability stems from a failure to validate incoming payloads in React Server Components, enabling attackers to inject malicious structures leading to prototype pollution and remote code execution. Post-exploitation activities include running reverse shells, achieving persistence, evading security defenses, and attempting lateral movement to cloud resources.
Created at: 2025-12-15T21:41:54.360000
Updated at: 2026-01-14T21:05:02.119000
Infrastructure of Interest: Medium Confidence FastFlux
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous DNS patterns, behavioral analysis of rapid IP rotation, and cross-referenced intelligence from global sinkhole data and network telemetry. The IOCs included in this pulse are associated with Fastflux networks, characterized by constantly changing IP addresses and DNS records to evade detection while maintaining resilient malicious infrastructure for phishing, malware delivery, or C2 operations. Use this data to enhance DNS-based detection rules, identify flux parent domains, and disrupt threat actor network resilience. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:34:03.778000
Updated at: 2026-01-14T16:09:58.496000
New Magecart Network Uncovered: Disrupting Online Shoppers Worldwide
Description: A new Magecart network has been uncovered, targeting major payment networks including American Express, Diners Club, Discover, and Mastercard. The campaign, active since January 2022, uses web-skimming techniques to steal credit card information from online shoppers. The attackers inject malicious JavaScript code into compromised e-commerce websites, creating fake payment forms that capture and exfiltrate sensitive data. The skimmer employs sophisticated obfuscation techniques and mimics legitimate payment processes to avoid detection. Victims are unaware of the theft, as the malware allows the real transaction to proceed after capturing the data. The campaign demonstrates advanced knowledge of e-commerce platforms and continues to pose a significant threat to online retailers and consumers worldwide.
Created at: 2026-01-13T19:36:56.358000
Updated at: 2026-01-14T10:49:05.747000
