LATEST THREAT INTELLIGENCE.
Infrastructure of Interest: Medium Confidence Detection
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:39:42.586000
Updated at: 2026-01-30T18:05:17.747000
When Malware Talks Back
Description: A sophisticated multi-stage malware campaign employs living-off-the-land techniques and in-memory payload delivery to evade security controls. The infection chain begins with a hidden batch file that executes an embedded PowerShell loader, which then injects Donut-generated shellcode into legitimate Windows processes. The final payload is a heavily obfuscated .NET framework implementing advanced anti-analysis techniques, credential harvesting, surveillance capabilities, and remote system control. Data exfiltration occurs via Discord webhooks and Telegram bots. The malware, identified as Pulsar RAT, features live chat functionality and background payload deployment, demonstrating a modern, high-evasion Windows malware operation designed for long-term access and large-scale data theft.
Created at: 2026-01-30T09:36:38.626000
Updated at: 2026-01-30T17:38:16.472000
LABYRINTH CHOLLIMA Evolves into Three Adversaries
Description: The LABYRINTH CHOLLIMA threat group has split into three distinct adversaries: GOLDEN CHOLLIMA, PRESSURE CHOLLIMA, and core LABYRINTH CHOLLIMA. Each subgroup has specialized malware, objectives, and tradecraft. GOLDEN CHOLLIMA and PRESSURE CHOLLIMA focus on cryptocurrency entities, while core LABYRINTH CHOLLIMA continues espionage operations targeting industrial, logistics, and defense companies. Despite operating independently, these groups share tools and infrastructure, indicating coordinated resource allocation within North Korea's cyber ecosystem. The evolution stems from the KorDLL malware framework, which spawned several malware families. Recent operations demonstrate cloud-focused tradecraft and the use of zero-day vulnerabilities to deliver malware.
Created at: 2026-01-30T08:48:36.099000
Updated at: 2026-01-30T08:50:58.804000
Threat Intelligence Dossier: TOXICSNAKE
Description: A multi-domain traffic distribution system (TDS) operation was discovered, centered around the domain toxicsnake-wifes.com. The infrastructure serves as a commodity cybercrime TDS farm, routing victims to phishing, scams, or malware payloads. The operation uses a first-stage JavaScript loader, followed by a second-stage that attempts to fetch upstream payloads. The cluster shares common WHOIS, DNS, and hosting patterns, indicative of bulletproof VPS usage. Multiple burner domains with similar tradecraft were identified, suggesting an organized operator cluster. The infrastructure employs obfuscation, dynamic remote injection, and disposable registration techniques. While the main payload was unreachable during analysis, historical evidence suggests the delivery of malicious content.
Created at: 2026-01-30T08:44:03.925000
Updated at: 2026-01-30T08:49:35.810000
NFCShare Android Trojan: NFC card data theft via malicious APK
Description: A new Android trojan, named NFCShare, has been discovered targeting Deutsche Bank customers through a phishing campaign. The malware, disguised as a banking app update, prompts users to perform a fake card verification process. It exploits NFC technology to steal card data and PINs, which are then exfiltrated to a remote WebSocket endpoint. The trojan's distribution, user flow, and technical analysis are detailed, including its NFC reading capabilities and string obfuscation techniques. The malware shows links to Chinese-linked tooling and similarities to other NFC-based threats. IOCs include hashes, package details, and network indicators.
Created at: 2026-01-30T08:18:00.506000
Updated at: 2026-01-30T08:39:11.188000
Attack on *stan: Your malware, my C2
Description: A suspected state-affiliated threat actor has been targeting Kazakh and Afghan entities in a persistent campaign since at least August 2022. The attackers use a Windows-based RAT called KazakRAT, which allows for payload downloads, host data collection, and file exfiltration. The malware is delivered via .msi files and persists using the Run registry key. C2 communications are unencrypted over HTTP. The campaign also utilizes modified versions of XploitSpy Android spyware. Multiple KazakRAT variants have been observed with minor command-set changes. Victim targeting includes government and financial sector entities, particularly in Kazakhstan's Karaganda region. The operation shows low sophistication but high persistence, with similarities to APT36/Transparent Tribe activities.
Created at: 2026-01-30T08:19:02.693000
Updated at: 2026-01-30T08:37:54.463000
Meet IClickFix: a widespread framework using the ClickFix tactic
Description: IClickFix is a malicious framework that compromises WordPress sites to distribute malware using the ClickFix social engineering tactic. Active since December 2024, it has infected over 3,800 WordPress sites globally. The framework injects malicious JavaScript into compromised sites, leading users through a fake CAPTCHA challenge that tricks them into executing malicious code. This ultimately installs NetSupport RAT, granting attackers full control of infected systems. The campaign has evolved over time, adding traffic distribution systems and refining its lures. While initially distributing Emmenhtal Loader and XFiles Stealer, it now primarily delivers NetSupport RAT. The widespread nature of the attacks suggests opportunistic exploitation rather than targeted campaigns.
Created at: 2026-01-30T08:20:09.209000
Updated at: 2026-01-30T08:32:54.419000
Interlock Ransomware: New Techniques, Same Old Tricks
Description: The Interlock ransomware group continues to target organizations worldwide, particularly in the UK and US education sector. Unlike other ransomware groups, Interlock operates independently, developing and using their own malware. This article details a recent intrusion, highlighting the group's ability to adapt techniques and tooling. The attack involved multiple stages, including initial access via MintLoader, use of custom malware like NodeSnakeRAT and InterlockRAT, and deployment of a novel process-killing tool exploiting a zero-day vulnerability. The adversaries used various techniques for persistence, lateral movement, and data exfiltration before ultimately deploying ransomware. The intrusion demonstrates the importance of threat hunting and integrating threat intelligence to identify compromises before significant impact occurs.
Created at: 2026-01-30T08:23:45.232000
Updated at: 2026-01-30T08:29:49.190000
Dissecting UAT-8099: New persistence mechanisms and regional focus
Description: UAT-8099, a threat actor targeting vulnerable IIS servers across Asia, has launched a new campaign from late 2025 to early 2026. The group's tactics have evolved, focusing on Thailand and Vietnam, and employing web shells, PowerShell scripts, and the GotoHTTP tool for remote access. New variants of BadIIS malware now include region-specific features, with separate versions targeting Vietnam and Thailand. The actor has expanded their toolkit to include utilities for log removal, file protection, and anti-rootkit capabilities. They've also adapted their persistence methods, creating hidden user accounts and leveraging legitimate tools to evade detection. The campaign demonstrates significant operational overlaps with the WEBJACK campaign, including shared malware hashes, C2 infrastructure, and victimology.
Created at: 2026-01-29T17:20:34.042000
Updated at: 2026-01-30T08:07:16.223000
Supply chain attack: what you should know
Description: A supply chain attack targeted the eScan antivirus software, distributing malware through the update server. The attack, detected on January 20, involved a malicious Reload.exe file that initiated a multi-stage infection chain. This malware prevented further antivirus updates, ensured persistence through scheduled tasks, and communicated with control servers to download additional payloads. Attackers gained unauthorized access to a regional update server, deploying a malicious file with a fake digital signature. eScan developers quickly isolated the affected infrastructure and reset access credentials. Users are advised to check for infection signs, use a provided removal utility, and block known malware control server addresses. Kaspersky's security solutions successfully detect the malware used in this attack.
Created at: 2026-01-29T17:20:35.658000
Updated at: 2026-01-30T08:05:12.944000
