LATEST THREAT INTELLIGENCE.
Bootstrap script exposes PyPI to domain takeover attacks
Description: A vulnerability in legacy Python packages could enable an attack on PyPI through a domain compromise. The issue stems from bootstrap files for a build tool that installs the 'distribute' package, which fetch and execute an installation script from a now-available domain. Affected packages include tornado, pypiserver, and others. The vulnerability arises from the complex history of Python packaging tools and the use of hardcoded domains in bootstrap scripts. While the 'distribute' package is largely obsolete, many packages still include bootstrap scripts that attempt to install it, potentially executing malicious code from the abandoned domain. This highlights the risks of relying on hardcoded domains and the importance of properly decommissioning outdated modules in open-source communities.
Created at: 2025-12-03T20:19:06.084000
Updated at: 2025-12-04T14:38:36.275000
Infrastructure of Interest: Medium Confidence Detection
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:39:42.586000
Updated at: 2025-12-04T14:13:49.203000
Infrastructure of Interest: Medium Confidence Phishing
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with phishing campaigns, targeting credential theft and fraudulent resource access. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:20:01.253000
Updated at: 2025-12-04T14:13:43.552000
Albiriox Exposed: A New RAT Mobile Malware Targeting Global Finance and Crypto Wallets
Description: Albiriox is a newly identified Android malware offered as Malware-as-a-Service, likely managed by Russian-speaking threat actors. It employs a two-stage deployment chain using dropper applications and packing techniques to evade detection. The malware exhibits advanced On-Device Fraud capabilities, enabling remote control, screen manipulation, and real-time interaction with infected devices. Albiriox targets over 400 global financial and cryptocurrency applications, combining VNC-based remote access and overlay attack mechanisms. The malware's sophisticated features include device takeover, real-time interaction, and unauthorized operations while remaining undetected. Its MaaS model and ongoing development suggest potential for rapid adoption among threat actors seeking efficient mobile fraud tools.
Created at: 2025-12-03T20:19:09.663000
Updated at: 2025-12-04T11:17:30.257000
4.3 Million Browsers Infected: Inside ShadyPanda's 7-Year Malware Campaign
Description: A threat actor named ShadyPanda has been identified as responsible for a seven-year browser extension campaign that has infected 4.3 million Chrome and Edge users. The campaign includes two active operations: a 300,000-user RCE backdoor and a 4-million-user spyware operation. ShadyPanda's extensions were featured and verified by Google, granting instant trust and massive distribution. The actor's strategy evolved from simple affiliate fraud to sophisticated browser control and long-term trust building. The malware collects extensive user data, including browsing history, search queries, and mouse clicks, transmitting it to servers in China. The success of this campaign highlights vulnerabilities in browser marketplace security models and the potential for widespread exploitation through trusted update mechanisms.
Created at: 2025-12-03T20:19:10.190000
Updated at: 2025-12-04T11:14:51.532000
Global Corporate Web
Description: This analysis explores the corporate structure and operations of Intellexa, a mercenary spyware vendor. It reveals new companies likely tied to Intellexa's network, particularly within a Czech cluster, and examines their roles in product shipment and potential infection vectors. The report traces Intellexa's activities across multiple countries, including new evidence of Predator spyware deployment in Iraq. It highlights the challenges in tracking such operations due to complex corporate structures and evolving techniques. The analysis also discusses broader trends in the spyware ecosystem, including geopolitical fragmentation, persistent facilitators, and expanding targeting beyond traditional victims to include corporate leaders.
Created at: 2025-12-04T08:11:30.961000
Updated at: 2025-12-04T11:10:42.732000
Prolific Zero-Day Exploits Continue
Description: Despite sanctions, Intellexa continues to operate, developing and selling spyware to various clients. The company has been linked to 15 unique zero-day vulnerabilities since 2021, targeting mobile browsers and operating systems. Their exploit chain, known as 'smack', uses a framework called JSKit for iOS exploitation. Intellexa has also been observed using malicious advertisements to deliver exploits. The company's activities have affected several hundred accounts across multiple countries. Google has taken steps to warn targeted users and add malicious domains to Safe Browsing. The international community is working towards developing norms to limit the misuse of surveillance technologies.
Created at: 2025-12-04T10:32:24.900000
Updated at: 2025-12-04T11:04:29.106000
Malicious VSCode Extension Launches Multi-Stage Attack Chain with Anivia Loader and OctoRAT
Description: A malicious Visual Studio Code extension named 'prettier-vscode-plus' was discovered on the official VSCode Marketplace, impersonating the legitimate Prettier formatter. This extension served as the entry point for a multi-stage malware chain, starting with the Anivia loader, which decrypted and executed further payloads in memory. The final stage, OctoRAT, is a comprehensive remote access toolkit providing over 70 commands for surveillance, file theft, remote desktop control, persistence, privilege escalation, and harassment. The attack chain employs sophisticated techniques like AES encryption, process hollowing, and UAC bypass. The threat actor's GitHub repository showed active payload rotation to evade detection. This supply-chain attack highlights the evolving threats targeting developers and the abuse of trusted tools in their ecosystem.
Created at: 2025-12-04T10:32:22.599000
Updated at: 2025-12-04T11:02:22.529000
Snakes by the riverbank
Description: ESET researchers have identified new MuddyWater activity targeting organizations in Israel and Egypt. The Iran-aligned cyberespionage group deployed custom tools to improve defense evasion and persistence, including a Fooder loader to execute the MuddyViper backdoor. The campaign demonstrates a more focused and refined approach, with the group adopting advanced techniques like CNG cryptography and reflective loading. MuddyWater's toolset includes browser data stealers, credential stealers, and reverse tunneling tools. The group primarily targeted critical infrastructure sectors through spearphishing emails containing links to remote monitoring and management software. This campaign indicates an evolution in MuddyWater's operational maturity, showcasing enhanced stealth and credential harvesting capabilities.
Created at: 2025-12-02T14:44:59.788000
Updated at: 2025-12-03T18:07:43.276000
DNS Uncovers Infrastructure Used in SSO Attacks
Description: The threat actor leveraged Evilginx (likely version 3.0), an open source, advanced phishing adversary-in-the-middle (AITM, aka MITM) framework designed to steal login credentials and session cookies. Evilginx is widely used by cybercriminals to undermine multi-factor authentication (MFA) security, and this actor has used it to target at least 18 universities and educational institutions across the United States since April 2025. The campaigns were delivered through email and the phishing domains used subdomains that mimicked the legitimate SSO sites.
Created at: 2025-12-03T17:58:34.643000
Updated at: 2025-12-03T18:04:21.215000
