LATEST THREAT INTELLIGENCE.

Infostealers without borders: macOS, Python stealers, and platform abuse

Description: Infostealer threats are expanding beyond Windows, targeting macOS and leveraging cross-platform languages like Python. Recent campaigns use social engineering to deploy macOS-specific infostealers such as DigitStealer, MacSync, and AMOS. These stealers use fileless execution and native macOS utilities to harvest credentials and sensitive data. Python-based stealers are also on the rise, allowing attackers to quickly adapt and target diverse environments. Additionally, threat actors are abusing trusted platforms like WhatsApp and PDF converter tools to distribute malware such as Eternidade Stealer. These evolving threats blend into legitimate ecosystems and evade conventional defenses, posing significant risks to organizations across various operating systems and delivery channels.

Created at: 2026-02-02T22:44:53.887000

Updated at: 2026-02-03T10:42:29.276000

Leveraging of CVE-2026-21509 in Operation Neusploit

Description: A new campaign dubbed Operation Neusploit, attributed to the Russia-linked APT28 group, targets Central and Eastern European countries using specially crafted Microsoft RTF files to exploit CVE-2026-21509. The attack chain involves multi-stage infection, delivering malicious backdoors including MiniDoor, PixyNetLoader, and a Covenant Grunt implant. The campaign employs social engineering lures in multiple languages, server-side evasion techniques, and abuses the Filen API for command-and-control communications. The malware components utilize various persistence mechanisms, steganography, and anti-analysis techniques. The operation showcases APT28's evolving tactics, techniques, and procedures in weaponizing the latest vulnerabilities.

Created at: 2026-02-02T22:44:54.419000

Updated at: 2026-02-03T09:30:48.951000

The Chrysalis Backdoor: A Deep Dive into Lotus Blossom's toolkit

Description: Rapid7 Labs has uncovered a sophisticated campaign attributed to the Chinese APT group Lotus Blossom, involving a new custom backdoor named Chrysalis. The attack compromised Notepad++ infrastructure to deliver the backdoor. Analysis revealed multiple custom loaders, including one using Microsoft Warbird for obfuscation. The Chrysalis backdoor has extensive capabilities for information gathering, file operations, and remote command execution. Additional artifacts found include Cobalt Strike beacons and Metasploit payloads. The campaign shows Lotus Blossom evolving its tactics, mixing custom and off-the-shelf tools with advanced obfuscation techniques to evade detection.

Created at: 2026-02-03T08:21:04.364000

Updated at: 2026-02-03T08:27:09.227000

Supply chain attack: what you should know

Description: A supply chain attack targeted the eScan antivirus software, distributing malware through the update server. The attack, detected on January 20, involved a malicious Reload.exe file that initiated a multi-stage infection chain. This malware prevented further antivirus updates, ensured persistence through scheduled tasks, and communicated with control servers to download additional payloads. Attackers gained unauthorized access to a regional update server, deploying a malicious file with a fake digital signature. eScan developers quickly isolated the affected infrastructure and reset access credentials. Users are advised to check for infection signs, use a provided removal utility, and block known malware control server addresses. Kaspersky's security solutions successfully detect the malware used in this attack.

Created at: 2026-01-29T17:20:35.658000

Updated at: 2026-02-02T20:56:33.346000

Fake Dropbox Phishing Campaign via PDF and Cloud Storage

Description: A sophisticated phishing campaign has been detected that utilizes a multi-stage approach to evade detection. The attack begins with a procurement-themed email containing a PDF attachment. This PDF redirects victims to another PDF hosted on trusted cloud storage, which then leads to a fake Dropbox login page. The attackers exploit trusted platforms and harmless file formats to bypass security measures. The campaign uses social engineering tactics to harvest credentials, which are then exfiltrated to attacker-controlled infrastructure via Telegram. This method proves effective by leveraging legitimate business processes, trusted file types, and reputable cloud services to appear authentic and bypass automated security checks.

Created at: 2026-02-02T18:31:08.887000

Updated at: 2026-02-02T20:00:29.663000

Dissecting CrashFix: KongTuke's New Toy

Description: KongTuke, a threat actor tracked since 2025, has launched a new campaign using a malicious browser extension called NexShield that impersonates uBlock Origin Lite. The extension causes browser crashes and displays fake security warnings to trick users into executing malicious commands. The campaign targets both home and corporate users, with domain-joined machines receiving a more sophisticated Python-based RAT named ModeloRAT. The attack chain involves multiple stages of obfuscation, anti-analysis techniques, and a Domain Generation Algorithm (DGA) for C2 communication. KongTuke employs extensive fingerprinting to avoid detection in analysis environments. The campaign demonstrates evolving social engineering tactics and a focus on infiltrating enterprise networks for potential lateral movement and data exfiltration.

Created at: 2026-01-17T13:17:09.602000

Updated at: 2026-02-02T17:10:45.444000

Infrastructure of Interest: Medium Confidence Detection

Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.

Created at: 2025-08-07T07:39:42.586000

Updated at: 2026-02-02T11:41:33.760000

Infrastructure of Interest: Medium Confidence Command And Control

Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with command and control (C2) infrastructure, facilitating malware communication, data exfiltration, and persistent threat actor operations. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.

Created at: 2025-08-07T07:29:37.542000

Updated at: 2026-02-02T11:40:17.484000

MuddyWater: Snakes by the riverbank

Description: MuddyWater, an Iran-aligned cyberespionage group, has been targeting critical infrastructure in Israel and Egypt with custom malware and improved tactics. The campaign uses previously undocumented tools like the Fooder loader and MuddyViper backdoor to enhance defense evasion and persistence. Fooder masquerades as a Snake game and uses game-inspired techniques to hinder analysis. MuddyViper enables system information collection, file manipulation, and credential theft. The group also employs browser-data stealers and reverse tunneling tools. This campaign demonstrates MuddyWater's evolution towards more sophisticated and refined approaches, though traces of operational immaturity remain. The group continues to pose a significant threat, particularly to government, military, telecommunications, and critical infrastructure sectors in the Middle East.

Created at: 2026-01-03T11:05:58.696000

Updated at: 2026-02-02T11:02:09.057000

LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan

Description: ESET researchers have uncovered a new China-aligned APT group named LongNosedGoblin targeting governmental entities in Southeast Asia and Japan for cyberespionage. The group employs a varied custom toolset of C#/.NET applications and abuses Group Policy for lateral movement. Key tools include NosyHistorian for collecting browser history, NosyDoor backdoor using cloud services as C&C, and NosyStealer for exfiltrating browser data. The attackers also utilize techniques like AppDomainManager injection and AMSI bypassing. LongNosedGoblin has been active since at least September 2023, showing ongoing campaigns throughout 2024 and 2025. The research provides detailed analysis of the group's malware and tactics, including potential sharing of the NosyDoor backdoor among multiple China-aligned actors.

Created at: 2026-01-03T11:05:57.103000

Updated at: 2026-02-02T11:02:09.057000