LATEST THREAT INTELLIGENCE.
Arkanix Stealer: Newly discovered short term profit malware
Description: A new information stealer named Arkanix has emerged, likely designed for short-term financial gains. Advertised on Discord, it has rapidly evolved from a Python-based to a C++ version. The malware steals data from various browsers, crypto wallets, VPN accounts, and system information. It employs sophisticated techniques like VMProtect for obfuscation and 'Chrome Elevator' to bypass App Bound Encryption. Arkanix is distributed through Discord and online forums, disguised as legitimate tools. The threat actors offer a web panel with premium features, including VPN and Steam account theft. This case highlights the ease of starting cybercrime businesses for quick profits, with actors demonstrating considerable experience in malware development and distribution.
Created at: 2025-12-01T19:55:01.421000
Updated at: 2025-12-01T21:02:01.373000
Cloud Abuse at Scale
Description: A large-scale attack infrastructure dubbed TruffleNet has been identified, built around the open-source tool TruffleHog. This infrastructure is used to systematically test compromised credentials and perform reconnaissance across AWS environments. The campaign involves over 800 unique hosts across 57 distinct Class C networks, characterized by consistent configurations and the use of Portainer. Alongside TruffleNet, adversaries are exploiting Amazon Simple Email Service (SES) to facilitate Business Email Compromise (BEC) campaigns. The attackers create email identities using compromised WordPress sites and conduct aggressive cloud reconnaissance. This activity highlights the evolving tactics of threat actors in exploiting cloud infrastructure at scale, combining credential theft, reconnaissance automation, and SES abuse to conduct high-volume fraud with minimal detection.
Created at: 2025-11-01T10:24:25.998000
Updated at: 2025-12-01T10:03:42.437000
Operation SkyCloak: Tor Campaign targets Military of Russia & Belarus
Description: A sophisticated campaign targeting Russian and Belarusian military personnel has been identified, using multi-stage infection chains and decoy documents. The attackers deploy OpenSSH and Tor bridges to establish covert remote access and lateral movement capabilities. The infection process involves PowerShell scripts, scheduled tasks for persistence, and the use of Tor hidden services to expose multiple local services. The campaign employs anti-analysis techniques and leverages obfuscated configurations for SSH and Tor. While attribution remains uncertain, the targeting and tactics are consistent with Eastern European-linked espionage activities focusing on defense and government sectors.
Created at: 2025-10-31T21:01:40.563000
Updated at: 2025-11-30T21:02:51.788000
New wave of cyberattacks by APT group Cloud Atlas on Russia's government sector
Description: The APT group Cloud Atlas has launched a new wave of cyberattacks targeting Russia's defense industry. They are using stolen document templates from previously infected organizations to create malicious Microsoft Office files. The group cleans metadata from these documents to avoid revealing compromised entities. They move between targeted companies using compromised email accounts (BEC attacks). The attacks focus on defense industry enterprises, with malicious documents disguised as invitations, anti-corruption checks, mobilization documents, employee records, and financial statements. Cloud Atlas uses Google Sheets API for data exfiltration and employs the PowerShower backdoor. The group's infrastructure has migrated to new servers and domains, indicating ongoing campaign development.
Created at: 2025-10-31T09:34:13.361000
Updated at: 2025-11-30T09:00:43.054000
New Loader Executing TorNet and PureHVNC
Description: A new malware loader discovered in May 2025 executes two malware families: TorNet and PureHVNC. The loader uses API hashing with MurmurHash2 and implements persistence through registry modifications. It decrypts and decompresses payloads using AES-128-ECB and LZMA, then injects them into a suspended jsc.exe process. TorNet, a downloader malware, communicates via TOR network, while PureHVNC is a commercial RAT allowing remote access. Both malware use Protocol Buffers for configuration deserialization. The loader's unique characteristics include its dual payload execution and API hashing implementation, indicating potential future attack techniques.
Created at: 2025-10-31T09:31:55.421000
Updated at: 2025-11-30T09:00:43.054000
BRONZE BUTLER exploits Japanese asset management software vulnerability
Description: In mid-2025, a sophisticated campaign by the Chinese state-sponsored threat group BRONZE BUTLER (also known as Tick) exploited a zero-day vulnerability in Motex LANSCOPE Endpoint Manager. The vulnerability, CVE-2025-61932, allowed remote attackers to execute arbitrary commands with SYSTEM privileges. The threat actors used Gokcpdoor malware and the Havoc C2 framework for command and control. They also employed legitimate tools and services for lateral movement and data exfiltration, including goddi, remote desktop applications, and 7-Zip. Cloud storage services were accessed for potential data exfiltration. Organizations are advised to upgrade vulnerable LANSCOPE servers and review internet-facing servers with LANSCOPE components installed.
Created at: 2025-10-31T02:16:03.378000
Updated at: 2025-11-30T02:04:45.506000
Operation Hanoi Thief: Vietnam APT
Description: A spear-phishing campaign dubbed 'Operation Hanoi Thief' is targeting Vietnamese IT professionals and recruitment teams. The attack uses a malicious ZIP file containing a fake resume and an LNK file. The LNK file executes a pseudo-polyglot payload, which deploys a C++ DLL implant called LOTUSHARVEST through DLL sideloading. This implant functions as an information stealer, harvesting browser credentials and history before exfiltrating data to attacker-controlled servers. The campaign employs anti-analysis techniques and abuses trusted Windows tools. While similarities with previous Chinese-origin campaigns exist, definitive state sponsorship attribution remains inconclusive. The operation primarily affects the Information Technology and Recruitment sectors in Vietnam.
Created at: 2025-11-28T14:06:46.909000
Updated at: 2025-11-28T18:47:37.849000
Infrastructure of Interest: Medium Confidence Detection
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:39:42.586000
Updated at: 2025-11-28T11:54:30.668000
Analysis of Trigona Threat Actor's Latest Attack Cases
Description: The Trigona threat actor continues to target MS-SQL servers through brute-force and dictionary attacks, exploiting weak credentials. They use CLR Shell for additional payloads and employ various tools like BCP, Curl, Bitsadmin, and PowerShell to install malware. The attackers utilize remote control tools such as AnyDesk, RDP, and possibly Teramind. New scanner malware written in Rust targets RDP and MS-SQL services. The threat actor also uses tools like SpeedTest and a custom StressTester. Various privilege escalation and file manipulation tools are employed. To protect against these attacks, administrators should use complex passwords, regularly update security software, and implement firewalls to control access to database servers.
Created at: 2025-10-29T10:50:37.908000
Updated at: 2025-11-28T10:00:55.313000
Unauthenticated Remote Access via Triofox Vulnerability CVE-2025-12480
Description: A critical vulnerability in Gladinet's Triofox file-sharing platform, CVE-2025-12480, allowed unauthenticated access to configuration pages, enabling arbitrary payload execution. Threat actor UNC6485 exploited this flaw as early as August 24, 2025, bypassing authentication and chaining it with anti-virus feature abuse for code execution. The vulnerability affected Triofox version 16.4.10317.56372 and was patched in version 16.7.10368.56560. Attackers created admin accounts, deployed remote access tools, conducted reconnaissance, and attempted privilege escalation. They used Zoho UEMS, Zoho Assist, and Anydesk for remote access, and set up encrypted tunnels for C2 communication. The exploit chain involved HTTP host header manipulation and abuse of the built-in anti-virus feature to execute malicious scripts.
Created at: 2025-11-10T21:58:59.342000
Updated at: 2025-11-28T09:23:54.348000
