LATEST THREAT INTELLIGENCE.
Notepad++ supply chain attack breakdown
Description: The article details a sophisticated supply chain attack on Notepad++ that occurred from July to October 2025. Attackers compromised the update infrastructure, deploying various malicious payloads through three distinct infection chains. The attack targeted individuals and organizations in Vietnam, El Salvador, Australia, and the Philippines. The infection methods evolved over time, using NSIS installers, Metasploit downloaders, and Cobalt Strike Beacons. The attackers employed clever techniques to evade detection, including the abuse of legitimate software and the use of multiple C2 servers. The article provides a comprehensive timeline of the attack, describes the different execution chains, and offers guidance on detecting traces of the attack.
Created at: 2026-02-03T12:08:18.497000
Updated at: 2026-02-03T16:06:19.861000
Infrastructure of Interest: Medium Confidence Detection
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:39:42.586000
Updated at: 2026-02-03T13:57:24.028000
Infrastructure of Interest: Medium Confidence InfoStealer
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with infostealer malware, designed to harvest sensitive data such as credentials, cookies, and financial information from compromised systems. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations involving data theft. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:31:55.617000
Updated at: 2026-02-03T13:56:09.017000
Infrastructure of Interest: Medium Confidence Command And Control
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with command and control (C2) infrastructure, facilitating malware communication, data exfiltration, and persistent threat actor operations. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:29:37.542000
Updated at: 2026-02-03T13:56:05.419000
Infrastructure of Interest: Medium Confidence Phishing
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with phishing campaigns, targeting credential theft and fraudulent resource access. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:20:01.253000
Updated at: 2026-02-03T13:56:03.737000
Infostealers without borders: macOS, Python stealers, and platform abuse
Description: Infostealer threats are expanding beyond Windows, targeting macOS and leveraging cross-platform languages like Python. Recent campaigns use social engineering to deploy macOS-specific infostealers such as DigitStealer, MacSync, and AMOS. These stealers use fileless execution and native macOS utilities to harvest credentials and sensitive data. Python-based stealers are also on the rise, allowing attackers to quickly adapt and target diverse environments. Additionally, threat actors are abusing trusted platforms like WhatsApp and PDF converter tools to distribute malware such as Eternidade Stealer. These evolving threats blend into legitimate ecosystems and evade conventional defenses, posing significant risks to organizations across various operating systems and delivery channels.
Created at: 2026-02-02T22:44:53.887000
Updated at: 2026-02-03T10:42:29.276000
Leveraging of CVE-2026-21509 in Operation Neusploit
Description: A new campaign dubbed Operation Neusploit, attributed to the Russia-linked APT28 group, targets Central and Eastern European countries using specially crafted Microsoft RTF files to exploit CVE-2026-21509. The attack chain involves multi-stage infection, delivering malicious backdoors including MiniDoor, PixyNetLoader, and a Covenant Grunt implant. The campaign employs social engineering lures in multiple languages, server-side evasion techniques, and abuses the Filen API for command-and-control communications. The malware components utilize various persistence mechanisms, steganography, and anti-analysis techniques. The operation showcases APT28's evolving tactics, techniques, and procedures in weaponizing the latest vulnerabilities.
Created at: 2026-02-02T22:44:54.419000
Updated at: 2026-02-03T09:30:48.951000
The Chrysalis Backdoor: A Deep Dive into Lotus Blossom's toolkit
Description: Rapid7 Labs has uncovered a sophisticated campaign attributed to the Chinese APT group Lotus Blossom, involving a new custom backdoor named Chrysalis. The attack compromised Notepad++ infrastructure to deliver the backdoor. Analysis revealed multiple custom loaders, including one using Microsoft Warbird for obfuscation. The Chrysalis backdoor has extensive capabilities for information gathering, file operations, and remote command execution. Additional artifacts found include Cobalt Strike beacons and Metasploit payloads. The campaign shows Lotus Blossom evolving its tactics, mixing custom and off-the-shelf tools with advanced obfuscation techniques to evade detection.
Created at: 2026-02-03T08:21:04.364000
Updated at: 2026-02-03T08:27:09.227000
Supply chain attack: what you should know
Description: A supply chain attack targeted the eScan antivirus software, distributing malware through the update server. The attack, detected on January 20, involved a malicious Reload.exe file that initiated a multi-stage infection chain. This malware prevented further antivirus updates, ensured persistence through scheduled tasks, and communicated with control servers to download additional payloads. Attackers gained unauthorized access to a regional update server, deploying a malicious file with a fake digital signature. eScan developers quickly isolated the affected infrastructure and reset access credentials. Users are advised to check for infection signs, use a provided removal utility, and block known malware control server addresses. Kaspersky's security solutions successfully detect the malware used in this attack.
Created at: 2026-01-29T17:20:35.658000
Updated at: 2026-02-02T20:56:33.346000
Fake Dropbox Phishing Campaign via PDF and Cloud Storage
Description: A sophisticated phishing campaign has been detected that utilizes a multi-stage approach to evade detection. The attack begins with a procurement-themed email containing a PDF attachment. This PDF redirects victims to another PDF hosted on trusted cloud storage, which then leads to a fake Dropbox login page. The attackers exploit trusted platforms and harmless file formats to bypass security measures. The campaign uses social engineering tactics to harvest credentials, which are then exfiltrated to attacker-controlled infrastructure via Telegram. This method proves effective by leveraging legitimate business processes, trusted file types, and reputable cloud services to appear authentic and bypass automated security checks.
Created at: 2026-02-02T18:31:08.887000
Updated at: 2026-02-02T20:00:29.663000
