LATEST THREAT INTELLIGENCE.
Guloader Malware Being Disguised as Employee Performance Reports
Description: ASEC discovered Guloader malware being distributed through phishing emails masquerading as employee performance reports. The emails, claiming to be about October 2025 performance, contain a RAR file with an NSIS executable named 'staff record pdf.exe'. This file is actually Guloader malware, which downloads and executes shellcode from a Google Drive URL. The final payload is Remcos RAT, enabling threat actors to perform various malicious remote control activities, including keylogging, screenshot capture, webcam and microphone control, and browser data extraction. The attackers are increasingly using legitimate platforms as C2 servers, making detection more challenging. Users are advised to exercise caution when opening emails from unknown sources and to change passwords regularly to prevent secondary damage.
Created at: 2026-01-08T18:12:08.252000
Updated at: 2026-02-07T18:00:59.149000
Reborn in Rust: MuddyWater Evolves Tooling with RustyWater Implant
Description: MuddyWater APT group has launched a spearphishing campaign targeting various sectors in the Middle East, including diplomatic, maritime, financial, and telecom entities. The campaign employs icon spoofing and malicious Word documents to deliver a Rust-based implant dubbed 'RustyWater'. This new tool represents a significant upgrade from their traditional PowerShell and VBS loaders, offering capabilities such as asynchronous C2, anti-analysis features, registry persistence, and modular post-compromise expansion. The attack chain involves a malicious email with an attached document that triggers a multi-stage process, ultimately leading to the deployment of the RustyWater implant. This evolution in MuddyWater's toolkit demonstrates their adaptation to more sophisticated, structured, and stealthy attack methods.
Created at: 2026-01-08T18:12:01.321000
Updated at: 2026-02-07T18:00:59.149000
BlueDelta Evolves Credential Harvesting
Description: Between February and September 2025, BlueDelta, a Russian state-sponsored threat group linked to the GRU, conducted multiple credential-harvesting campaigns. The group targeted individuals associated with energy research, defense cooperation, and government communication networks in Turkey, Europe, North Macedonia, and Uzbekistan. BlueDelta impersonated legitimate webmail and VPN services, using free hosting and tunneling services to host phishing content and capture user data. The campaigns incorporated PDF lures and customized JavaScript to increase authenticity and operational efficiency. This activity demonstrates BlueDelta's continued focus on low-cost, high-yield methods for collecting information supporting Russian intelligence objectives.
Created at: 2026-01-08T11:41:07.032000
Updated at: 2026-02-07T12:01:06.539000
Knife Cutting the Edge: Disclosing a China-nexus gateway-monitoring AitM framework
Description: Cisco Talos uncovered 'DKnife', a sophisticated gateway-monitoring and adversary-in-the-middle (AitM) framework comprising seven Linux-based implants. Used since 2019, DKnife performs deep-packet inspection, traffic manipulation, and malware delivery via routers and edge devices. It targets various devices, including PCs, mobile devices, and IoT, delivering ShadowPad and DarkNimbus backdoors. The framework primarily targets Chinese-speaking users, with evidence suggesting China-nexus threat actors as operators. DKnife's capabilities include DNS hijacking, Android application update hijacking, Windows binary hijacking, anti-virus traffic disruption, and user activity monitoring. A link to the WizardNet campaign was also discovered, indicating a shared development or operational lineage.
Created at: 2026-02-05T20:16:27.292000
Updated at: 2026-02-06T16:18:47.684000
Infrastructure of Interest: Medium Confidence Detection
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:39:42.586000
Updated at: 2026-02-06T14:44:34.797000
Infrastructure of Interest: Medium Confidence FastFlux
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous DNS patterns, behavioral analysis of rapid IP rotation, and cross-referenced intelligence from global sinkhole data and network telemetry. The IOCs included in this pulse are associated with Fastflux networks, characterized by constantly changing IP addresses and DNS records to evade detection while maintaining resilient malicious infrastructure for phishing, malware delivery, or C2 operations. Use this data to enhance DNS-based detection rules, identify flux parent domains, and disrupt threat actor network resilience. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:34:03.778000
Updated at: 2026-02-06T14:42:37.178000
Infrastructure of Interest: Medium Confidence Command And Control
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with command and control (C2) infrastructure, facilitating malware communication, data exfiltration, and persistent threat actor operations. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:29:37.542000
Updated at: 2026-02-06T14:42:26.164000
Phishing actors exploiting complex routing scenarios and misconfigured spoof protections
Description: Threat actors are leveraging complex routing scenarios and misconfigured spoof protections to send phishing emails that appear to be internal communications. These attacks, which have increased since May 2025, use various lures like voicemails, shared documents, and password resets to conduct credential phishing and financial scams. The campaigns, often using PhaaS platforms like Tycoon2FA, are opportunistic and target multiple industries. While Microsoft detects most attempts, organizations can further mitigate risks by properly configuring spoof protections and third-party connectors. The attacks do not affect customers whose Microsoft Exchange MX records point to Office 365, as they are protected by built-in spoofing detections.
Created at: 2026-01-07T11:34:32.218000
Updated at: 2026-02-06T11:02:05.852000
New Clickfix variant 'CrashFix' deploying Python Remote Access Trojan
Description: A new evolution in the ClickFix campaign, dubbed CrashFix, has been identified. This variant deliberately crashes victims' browsers and uses social engineering to lure users into executing malicious commands. The attack begins with a malicious ad redirecting users to install a harmful browser extension impersonating a legitimate ad blocker. The payload causes delayed browser issues and presents a fake security warning. It misuses the Windows utility finger.exe to execute malicious commands and downloads additional payloads, including a Python-based Remote Access Trojan (RAT). The RAT, named ModeloRAT, establishes persistence and performs extensive reconnaissance. The campaign targets domain-joined systems and employs multiple obfuscation techniques to evade detection.
Created at: 2026-02-05T20:01:03.061000
Updated at: 2026-02-05T20:55:21.635000
Technical Analysis of Marco Stealer
Description: Marco Stealer, discovered in June 2025, is an information stealer targeting browser data, cryptocurrency wallets, and sensitive files. It employs anti-analysis techniques, string encryption, and terminates security tools. The malware collects system information, exfiltrates browser data using embedded files, and extracts cryptocurrency wallet data from browser extensions. It also targets popular services and cloud storage. Marco Stealer uses AES-256 encryption for C2 communication over HTTP. Despite recent law enforcement actions against similar threats, information stealers continue to pose significant risks to corporate environments.
Created at: 2026-02-05T20:06:39.665000
Updated at: 2026-02-05T20:53:32.780000
