LATEST THREAT INTELLIGENCE.
Infostealers without borders: macOS, Python stealers, and platform abuse
Description: Infostealer threats are expanding beyond Windows, targeting macOS and leveraging cross-platform languages like Python. Recent campaigns use social engineering to deploy macOS-specific infostealers such as DigitStealer, MacSync, and AMOS. These stealers use fileless execution and native macOS utilities to harvest credentials and sensitive data. Python-based stealers are also on the rise, allowing attackers to quickly adapt and target diverse environments. Additionally, threat actors are abusing trusted platforms like WhatsApp and PDF converter tools to distribute malware such as Eternidade Stealer. These evolving threats blend into legitimate ecosystems and evade conventional defenses, posing significant risks to organizations across various operating systems and delivery channels.
Created at: 2026-02-02T22:44:53.887000
Updated at: 2026-03-04T22:03:27.299000
Infrastructure of Interest: Medium Confidence FastFlux
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous DNS patterns, behavioral analysis of rapid IP rotation, and cross-referenced intelligence from global sinkhole data and network telemetry. The IOCs included in this pulse are associated with Fastflux networks, characterized by constantly changing IP addresses and DNS records to evade detection while maintaining resilient malicious infrastructure for phishing, malware delivery, or C2 operations. Use this data to enhance DNS-based detection rules, identify flux parent domains, and disrupt threat actor network resilience. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:34:03.778000
Updated at: 2026-03-04T16:37:19.517000
Infrastructure of Interest: Medium Confidence InfoStealer
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with infostealer malware, designed to harvest sensitive data such as credentials, cookies, and financial information from compromised systems. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations involving data theft. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:31:55.617000
Updated at: 2026-03-04T16:37:18.785000
Infrastructure of Interest: Medium Confidence Command And Control
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with command and control (C2) infrastructure, facilitating malware communication, data exfiltration, and persistent threat actor operations. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:29:37.542000
Updated at: 2026-03-04T16:37:16.270000
Infrastructure of Interest: Medium Confidence Phishing
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with phishing campaigns, targeting credential theft and fraudulent resource access. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:20:01.253000
Updated at: 2026-03-04T16:37:14.196000
Breaking Down the Role of Cyber Operations Taken in the Iran Crisis
Description: The report analyzes the cyber aspects of the ongoing conflict between Iran, the US, and Israel. It details a massive cyberattack launched by the US and Israel against Iran, causing widespread internet disruptions and infrastructure failures. The report also covers the activation and retooling of Iranian APT groups for retaliatory operations, targeting critical infrastructure in the US, Israel, and allied countries. Key actors include MuddyWater, Charming Kitten, OilRig, and Elfin. The analysis covers tactics, techniques, and procedures used by these groups, as well as their strategic objectives. The report also discusses the involvement of hacktivist proxies and the victimology of the attacks, affecting multiple countries and industries.
Created at: 2026-03-04T15:30:21.217000
Updated at: 2026-03-04T15:45:27.633000
Silver Dragon Targets Organizations in Southeast Asia and Europe
Description: Check Point Research has identified a Chinese-nexus advanced persistent threat group named Silver Dragon, targeting organizations in Southeast Asia and Europe since mid-2024. The group, likely operating under APT41, exploits public-facing servers and uses phishing emails for initial access. They deploy custom tools including GearDoor, a backdoor using Google Drive for command and control, SSHcmd for remote access, and SilverScreen for covert screen monitoring. Silver Dragon primarily focuses on government entities, utilizing Cobalt Strike beacons and DNS tunneling for communication. The group's sophisticated tactics and evolving toolkit demonstrate a well-resourced and adaptable threat actor.
Created at: 2026-03-03T20:03:17.234000
Updated at: 2026-03-04T11:07:57.364000
Signed malware impersonating workplace apps deploys RMM backdoors
Description: Multiple phishing campaigns were identified using workplace meeting lures, PDF attachments, and abuse of legitimate binaries to deliver signed malware. The attacks used digitally signed executables masquerading as legitimate software to install remote monitoring and management (RMM) tools like ScreenConnect, Tactical RMM, and Mesh Agent. These tools enabled attackers to establish persistence and move laterally within compromised environments. The malware was signed using an Extended Validation certificate issued to TrustConnect Software PTY LTD. The campaigns demonstrate how familiar branding and trusted digital signatures can be exploited to bypass user suspicion and gain an initial foothold in enterprise networks.
Created at: 2026-03-04T00:20:30.607000
Updated at: 2026-03-04T11:03:30.078000
Malicious Packagist Packages Disguised as Laravel Utilities Deploy Encrypted RAT
Description: A remote access trojan (RAT) has been discovered in multiple Packagist packages published by the threat actor nhattuanbl. The malicious packages, disguised as Laravel utilities, install an encrypted PHP RAT via Composer dependencies. The payload connects to a C2 server, sends system reconnaissance data, and awaits commands, granting full remote access to the host. The RAT uses obfuscation techniques to resist analysis and employs a self-launch mechanism. It communicates with the C2 server using encrypted JSON messages and supports various commands for system control and data exfiltration. The attack vector leverages dependency chains, with clean-looking packages pulling in malicious ones. Affected systems should be treated as compromised, with recommendations provided for mitigation and prevention.
Created at: 2026-03-04T10:55:55.309000
Updated at: 2026-03-04T10:59:07.528000
Quick, You Need Assistance!
Description: A Microsoft Teams voice-phishing campaign leveraging Quick Assist, a remote administration tool, was tracked in September 2025. The campaign uses help desk scams to gain initial access, followed by user group enumeration and the execution of a PowerShell script to download a command and control payload. The attack employs AMSI bypass, encrypted communications, and a web-socket remote access trojan. Multiple Microsoft 365 tenants with IT-related subdomains were used, along with various IPs and domains for C2 infrastructure. The campaign shows similarities to Storm-1811 and PhantomCaptcha activities, suggesting a complex cybercrime ecosystem. The attackers' ultimate goal may be ransomware deployment, although observed attempts were successfully blocked.
Created at: 2026-02-02T10:52:24.545000
Updated at: 2026-03-04T10:03:50.152000
