LATEST THREAT INTELLIGENCE.

Infrastructure of Interest: Medium Confidence Detection

Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.

Created at: 2025-08-07T07:39:42.586000

Updated at: 2025-08-27T13:39:14.379000

Infrastructure of Interest: Medium Confidence FastFlux

Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous DNS patterns, behavioral analysis of rapid IP rotation, and cross-referenced intelligence from global sinkhole data and network telemetry. The IOCs included in this pulse are associated with Fastflux networks, characterized by constantly changing IP addresses and DNS records to evade detection while maintaining resilient malicious infrastructure for phishing, malware delivery, or C2 operations. Use this data to enhance DNS-based detection rules, identify flux parent domains, and disrupt threat actor network resilience. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.

Created at: 2025-08-07T07:34:03.778000

Updated at: 2025-08-27T13:39:11.713000

Infrastructure of Interest: Medium Confidence InfoStealer

Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with infostealer malware, designed to harvest sensitive data such as credentials, cookies, and financial information from compromised systems. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations involving data theft. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.

Created at: 2025-08-07T07:31:55.617000

Updated at: 2025-08-27T13:39:11.109000

Infrastructure of Interest: High Confidence Detection

Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations.

Created at: 2025-08-07T07:07:55.879000

Updated at: 2025-08-27T13:39:10.470000

Infrastructure of Interest: High Confidence FastFlux

Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous DNS patterns, behavioral analysis of rapid IP rotation, and cross-referenced intelligence from global sinkhole data and network telemetry. The IOCs included in this pulse are associated with Fastflux networks, characterized by constantly changing IP addresses and DNS records to evade detection while maintaining resilient malicious infrastructure for phishing, malware delivery, or C2 operations. Use this data to enhance DNS-based detection rules, identify flux parent domains, and disrupt threat actor network resilience.

Created at: 2025-08-07T07:03:35.215000

Updated at: 2025-08-27T13:39:08.349000

TAG-144's Persistent Grip on South American Organizations

Description: Insikt Group has identified five distinct activity clusters linked to TAG-144 (Blind Eagle), targeting primarily Colombian government entities across local, municipal, and federal levels throughout 2024 and 2025. The clusters share similar tactics, techniques, and procedures (TTPs) such as using open-source and cracked remote access trojans (RATs), dynamic domain providers, and legitimate internet services (LIS) for staging. However, they differ in infrastructure, malware deployment, and operational methods. The group maintains an extensive operational infrastructure, employs various RATs, and uses multi-stage infection chains. TAG-144's primary focus appears to be credential theft and espionage, with evidence linking it to Red Akodon and compromised Colombian government email accounts used in spearphishing campaigns.

Created at: 2025-08-26T15:21:26.382000

Updated at: 2025-08-26T19:13:21.778000

Boxing Clever: Uncovering a $1M Task Scam Cluster Exploiting Major Brands

Description: A sophisticated task scam cluster has been discovered, exploiting major brands like Delta Airlines, AMC Theatres, and Universal Studios. The scam uses API-driven templates and cryptocurrency payments, with over $1 million in attributable transactions. Victims are lured into 'earning' money by completing tasks such as booking flights. The scam requires initial cryptocurrency deposits to become a 'VIP' member. The infrastructure utilizes domains registered through Dominet, Alibaba Cloud's registrar, with a distinct registrant pattern. Multiple wallet addresses across different cryptocurrencies have been identified. The scam's configuration files reveal its adaptability across various brands and industries.

Created at: 2025-08-26T16:14:17.714000

Updated at: 2025-08-26T18:46:10.164000

Major August 2025 Cyber Attacks: 7-Stage Tycoon2FA Phishing, New ClickFix Campaign, and Salty2FA

Description: In August 2025, significant cyber attacks emerged, including a 7-stage Tycoon2FA phishing campaign targeting government, military, and financial institutions across the US, UK, Canada, and Europe. The attack uses multiple verification steps to evade security systems. A new ClickFix campaign delivered the Rhadamanthys Stealer using PNG steganography, indicating increased sophistication in payload delivery. Salty2FA, a new Phishing-as-a-Service framework attributed to Storm-1575, was discovered targeting Microsoft 365 accounts globally, capable of bypassing various 2FA methods. These attacks demonstrate the evolution of phishing kits and stealers, emphasizing the need for behavioral analysis and real-time threat intelligence in cybersecurity defenses.

Created at: 2025-08-26T16:14:13.454000

Updated at: 2025-08-26T18:43:59.032000

Infrastructure of Interest: Medium Confidence Command And Control

Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with command and control (C2) infrastructure, facilitating malware communication, data exfiltration, and persistent threat actor operations. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.

Created at: 2025-08-07T07:29:37.542000

Updated at: 2025-08-26T13:22:25.984000

Infrastructure of Interest: High Confidence InfoStealer

Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with infostealer malware, designed to harvest sensitive data such as credentials, cookies, and financial information from compromised systems. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations involving data theft.

Created at: 2025-08-07T07:01:02.857000

Updated at: 2025-08-26T13:22:14.255000