LATEST THREAT INTELLIGENCE.
Pivoting From PayTool: Tracking Various Frauds and E-Crime Targeting Canada
Description: This investigation exposes a complex fraud ecosystem targeting Canadians through impersonation of government services and trusted brands. Attackers exploit digital dependencies for transportation, taxation, parcel delivery, and travel using convincing campaigns. The activity is linked to the 'PayTool' phishing framework, specializing in traffic violation scams. Additional infrastructure impersonates Canada Revenue Agency, Air Canada, and Canada Post. Threat actors commercialize these campaigns on underground forums, selling phishing kits mimicking official services. Victims are lured via SMS and malicious ads, using high-pressure tactics. The infrastructure employs fake validation phases and fraudulent payment gateways to harvest personal and financial data. The campaign's scope spans multiple provinces, utilizing shared hosting and domain generation patterns for scalability.
Created at: 2026-01-27T13:03:18.851000
Updated at: 2026-01-27T17:18:38.875000
CoolClient backdoor updated, new data stealing tools used
Description: The HoneyMyte APT group has enhanced its toolset with an updated CoolClient backdoor and new data stealing capabilities. The group targeted government entities in Asia and Europe, particularly Southeast Asia. CoolClient now features clipboard monitoring, HTTP proxy credential sniffing, and plugin support for extended functionality. HoneyMyte also deployed browser login data stealers and document theft scripts. The campaign's focus has shifted towards active surveillance, including keylogging, clipboard data collection, and proxy credential harvesting. Organizations are advised to remain vigilant against HoneyMyte's evolving toolkit, which includes CoolClient, PlugX, ToneShell, Qreverse, and LuminousMoth malware families.
Created at: 2026-01-27T11:49:30.682000
Updated at: 2026-01-27T16:10:58.306000
Infrastructure of Interest: Medium Confidence Detection
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:39:42.586000
Updated at: 2026-01-27T12:17:01.259000
Infrastructure of Interest: Medium Confidence InfoStealer
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with infostealer malware, designed to harvest sensitive data such as credentials, cookies, and financial information from compromised systems. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations involving data theft. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:31:55.617000
Updated at: 2026-01-27T12:16:02.119000
Infrastructure of Interest: Medium Confidence Command And Control
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with command and control (C2) infrastructure, facilitating malware communication, data exfiltration, and persistent threat actor operations. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:29:37.542000
Updated at: 2026-01-27T12:15:59.244000
Infrastructure of Interest: Medium Confidence Phishing
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with phishing campaigns, targeting credential theft and fraudulent resource access. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:20:01.253000
Updated at: 2026-01-27T12:15:58.186000
APT Attacks Target Indian Government Using GOGITTER, GITSHELLPAD, and GOSHELL | Part 1
Description: A Pakistan-linked APT group conducted two campaigns targeting Indian government entities. The Gopher Strike campaign used PDFs with malicious links to deliver an ISO file containing GOGITTER, a Golang downloader that fetches payloads from private GitHub repositories. GITSHELLPAD, a Golang backdoor, was used for C2 communication via GitHub. GOSHELL, a Golang shellcode loader, deployed Cobalt Strike Beacon on specific hostnames. The attackers used various techniques including scheduled tasks for persistence, obfuscation, and environmental keying. Post-compromise activities involved system reconnaissance and data exfiltration. The campaign demonstrated sophisticated TTPs and custom-built tools, indicating a potentially new subgroup or parallel Pakistan-linked threat actor.
Created at: 2026-01-26T21:19:21.461000
Updated at: 2026-01-27T07:28:53.210000
A Versatile Script Framework for LOLBins Exploitation Used by China-aligned Threat Groups
Description: PeckBirdy is a sophisticated JScript-based C&C framework employed by China-aligned APT groups since 2023. It exploits LOLBins across multiple environments to deliver advanced backdoors, targeting gambling industries and Asian government entities. The framework's versatility allows it to be used in various attack stages, from watering-hole control to lateral movement and C&C operations. Two campaigns, SHADOW-VOID-044 and SHADOW-EARTH-045, demonstrate coordinated threat group activity using PeckBirdy. The framework is complemented by two modular backdoors, HOLODONUT and MKDOOR, which extend its attack capabilities. PeckBirdy's design enables flexible deployment and execution across different environments, including browsers, MSHTA, WScript, Classic ASP, Node JS, and .NET.
Created at: 2026-01-26T20:30:56.423000
Updated at: 2026-01-27T07:28:25.568000
Chrome Extensions: Are you getting more than you bargained for?
Description: This analysis reveals the hidden dangers of certain Chrome extensions available on the Google Chrome Web Store. Despite the store's vetting process, some malicious extensions have slipped through, compromising user security. The study examines four examples of extensions with combined user bases exceeding 100,000, showcasing various security risks. These include undisclosed clipboard access to remote domains, data exfiltration, remote code execution capabilities, search hijacking, and cross-site scripting vulnerabilities. The extensions employ tactics such as command-and-control infrastructure with domain generation algorithms, user tracking, and brand impersonation. The research emphasizes the importance of caution when installing browser extensions, even from trusted sources, and recommends immediate uninstallation of the identified malicious extensions.
Created at: 2026-01-26T15:40:31.078000
Updated at: 2026-01-26T18:03:19.079000
Malware MoonPeak Executed via LNK Files
Description: In January 2026, IIJ observed malicious LNK files targeting Korean users to execute the MoonPeak malware, attributed to North Korean threat actors. The infection chain begins with a LNK file that runs an obfuscated PowerShell script, which checks for analysis environments, creates additional scripts, and sets up persistence. The second stage downloads and executes a payload from GitHub, which is actually the MoonPeak malware. MoonPeak is obfuscated using ConfuserEx and communicates with a C2 server. The campaign utilizes GitHub for hosting malware, a technique known as Living Off Trusted Sites (LOTS). This attack demonstrates the ongoing threat posed by North Korean actors targeting various countries and individuals worldwide.
Created at: 2026-01-26T14:28:48.027000
Updated at: 2026-01-26T17:36:15.302000
