LATEST THREAT INTELLIGENCE.
Agentic AI Uncovers New China-Linked Cluster OP-512
Description: A newly identified China-linked espionage cluster designated OP-512 has been discovered targeting Internet Information Services (IIS) servers through advanced AI-driven detection. The operation involves deploying a sophisticated custom web shell framework consisting of three components: a file manager with command-and-control notification channel and two cryptographically authenticated command handlers. Each deployment is cryptographically unique, utilizing RSA and RC4 encryption alongside timestomping techniques to evade signature-based detection. The attacker maintained persistence for 75 days before rapid deployment of multiple access paths, privilege escalation tools including BadPotato, SweetPotato, and EfsPotato, and establishment of dual notification channels through DNS and HTTP. The framework employs hex-encoded subdomain queries for self-reporting and automated builder-generated code with randomized variables. This represents the fourth China-linked cluster documented targeting legacy IIS infrast...
Created at: 2026-06-05T18:07:51.399000
Updated at: 2026-07-05T18:09:51.153000
Seeking Counsel: Ongoing Targeted Campaign Against US Law Firms
Description: From January through May 2026, a financially motivated data theft extortion campaign executed by threat cluster UNC3753 targeted dozens of organizations across professional, legal, and financial services in the United States. The threat actors leverage voice phishing and social engineering techniques, posing as IT support to convince targets to host screen-sharing sessions and download remote monitoring and management utilities. Once inside environments, they conduct searches to locate and exfiltrate highly sensitive data including proprietary legal agreements, personally identifiable information, and financial records for subsequent extortion demands. The entire attack sequence often occurs within a single business day, with recent incidents showing data theft initiated in under an hour. Notably, threat actors have also accessed victims' systems in person, with individuals posing as IT technicians entering corporate offices to attempt direct exfiltration using USB storage media.
Created at: 2026-06-05T18:07:50.868000
Updated at: 2026-07-05T18:09:51.153000
Latest goon squad to use fake helpdesk calls to steal creds
Description: A new extortion group called Pink, tracked as cluster CL-CRI-1147, employs voice phishing and fake IT helpdesk impersonation to compromise organizations. The gang steals employee credentials, bypasses multi-factor authentication, and exfiltrates data from cloud storage platforms like SharePoint and OneDrive. Pink threatens to leak stolen information unless ransom demands are met, setting 72-hour deadlines. The group's data-leak site launched on May 31, 2026. This approach mirrors tactics popularized by Lapsus$, Scattered Spider, and ShinyHunters. Incident responders link Pink to The Com, a loosely connected network of English-speaking hackers and extortionists. Attackers use compromised victim accounts and internal Teams messages for extortion communications, reusing domains across multiple targets.
Created at: 2026-06-04T22:52:18.927000
Updated at: 2026-07-04T22:08:20.855000
ClickFix Deno Abuse to CastleRAT
Description: Activity began with a ClickFix-style social engineering chain that led to MSI execution, PowerShell staging, and installation/use of Deno to run attacker-controlled JavaScript. Follow-on activity downloaded a portable Python runtime, `install.pyc`, and an encrypted `.MOa` container, which was later decrypted to recover a 64-bit Windows PE payload. Analysis of the recovered payload showed Steam Community being used as a dead-drop resolver for C2, with the profile title resolving to `smokeenew[.]com`, while `ip-api.com` was used for victim network/geolocation profiling. The payload also contained logic for browser/wallet data collection, clipboard/keylogging-related capabilities, Defender exclusions, UAC bypass/relaunch behavior through `ComputerDefaults.exe`, and a C2-tasked mechanism to receive and install an additional `Krutyak.zip` / `usbmmidd_v2` component. Recommendations: Block artifacts where applicable.
Created at: 2026-06-04T16:40:29.410000
Updated at: 2026-07-04T16:29:07.840000
Argamal: Malware hidden in hentai games
Description: In April 2026, researchers discovered a malware campaign targeting players of adult-themed games. The infected games install a previously unknown implant called Argamal that downloads and executes a RAT after several days, resulting in full system compromise. The malware uses COM hijacking to persist, replacing the InprocServer32 entry for Windows Color System Calibration Loader DLL. Delivery occurs through trojanized games distributed via dedicated websites and torrent trackers, containing modified FFmpeg DLLs that load malicious components. The RAT provides broad functionality including system control, surveillance, file operations, and reconnaissance capabilities. Hundreds of victims have been identified primarily in Russia, Brazil, Germany, and Vietnam. Attribution suggests a Spanish-speaking developer, with infrastructure pointing to ASN 11664 and multiple C2 domains.
Created at: 2026-06-04T09:19:52.892000
Updated at: 2026-07-04T09:14:35.727000
Inside the Cross-Platform Propagation of a New Gafgyt Variant C0XMO
Description: A new Gafgyt botnet variant named C0XMO has been discovered that spreads by exploiting a stack buffer overflow vulnerability in DD-WRT router firmware. Unlike earlier versions, this malware separates its lateral movement capabilities into a standalone Python script, enabling more efficient targeting of various system architectures including ARM, MIPS, PowerPC, and x86. The malware establishes persistence through cron jobs and shell profile modifications, eliminates competing botnets, and supports 19 different DDoS attack methods. Its scanner component performs weak-credential brute-force attacks on Telnet and SSH services while also exploiting multiple HTTP-based vulnerabilities and Android Debug Bridge unauthorized access. The malware connects to command-and-control infrastructure and demonstrates significantly more sophisticated architecture compared to traditional IoT botnets.
Created at: 2026-06-03T22:14:23.758000
Updated at: 2026-07-04T09:14:35.727000
Error 524 Decoy: Unmasking a Global Smishing Operation Hiding Behind Error Pages
Description: A sophisticated smishing and phishing operation active since the second half of 2025 has impersonated over 267 brands across 72 countries, with particular concentration in Latin America. The campaign generated 4,389 phishing domain instances, with Mexico accounting for 1,851 cases. Telecommunications is the most targeted sector with 1,754 instances, followed by financial services and consumer rewards programs. The operation employs fake Cloudflare error pages as decoys, revealing malicious content only to victims matching specific geofencing and mobile device criteria. Data exfiltration occurs through encrypted WebSocket channels using binary encoded payloads. Approximately 30% of infrastructure is hosted on Tencent Cloud and Alibaba US servers, fronted by Cloudflare to mask hosting IPs. The attack chain progresses from SMS lures through progressive credential harvesting, ultimately capturing complete credit card details including CVV codes.
Created at: 2026-06-03T13:18:23.487000
Updated at: 2026-07-04T08:23:20.239000
Matryoshka #3/3: Gamaredon's Gammasteel Infostealer
Description: This analysis examines Gamaredon's (UAC-0010, Armagedon) advanced espionage operations targeting Ukrainian government, military, and critical infrastructure. The FSB-operated group deploys GammaSteel, a sophisticated stealer operating almost entirely from memory using Windows DPAPI encryption and storing 71 distinct payload functions in the HKCU\Printers registry key. The malware employs three concurrent data acquisition mechanisms: timed drive scans, USB monitoring for air-gapped systems, and real-time file surveillance. Exfiltration occurs via legitimate S3-compatible cloud storage (Tebi.io) with fallback to operator-controlled servers. The infection chain extensively uses VBScript for evasion, Dead Drop Resolvers on platforms like Telegram and Mastodon for C2 configuration, and includes bidirectional backdoor capabilities enabling arbitrary remote code execution. Infrastructure demonstrates high automation with servers rotated approximately every 24 hours.
Created at: 2026-06-04T13:57:26.399000
Updated at: 2026-07-04T00:09:08.863000
The Demon Arrives Later: A Havoc Stager Hides Behind Microsoft Defender DLP
Description: Cybercriminals in Brazil are exploiting the country's electronic invoice system (Nota Fiscal eletrĂ´nica) to deliver Havoc framework implants. The campaign surfaced during May 2026, coinciding with tax season when accountants routinely process invoice-related emails. Attackers distribute malicious ZIP files disguised as legitimate invoices, containing VBScript droppers that download MSI installers from Google Cloud Storage. These installers deploy a fake Microsoft Defender DLP module (endpointdlp.dll) alongside a legitimate signed executable. The stager DLL downloads Havoc demon shellcode from command-and-control infrastructure at runtime, never writing the final payload to disk. Analysis reveals nine stager variants originating from a single builder, distributed through multiple channels including Brazilian NF-e-themed lures and Malaysia-registered domains. The implant establishes persistence through the rarely-monitored UserInitMprLogonScript registry key and employs advanced anti-forensic techniques incl...
Created at: 2026-06-03T22:14:23.239000
Updated at: 2026-07-03T22:02:00.094000
PCPJack Hijacked 230 AWS, GCP, and Azure Servers to Run a Hidden SMTP Relay Network
Description: PCPJack operators compromised 230 cloud Linux servers across AWS, GCP, and Azure to build a covert SMTP relay network for email-based attacks. Researchers discovered exposed directories on infrastructure at 213.136.80[.]73 containing complete deployment toolkits including Chisel binaries, Python deployers, and operational state files. The campaign deployed Sliver C2 beacons and established reverse SOCKS5 tunnels on compromised hosts, testing each for SMTP relay capability. Three deployment versions showed operational evolution from 50 to 230 nodes, with verified proxies synchronized every five minutes to a downstream aggregation server. The operation targeted cloud-hosted web applications, exploiting them to gain initial access, then establishing persistence through systemd services and cron jobs disguised as system utilities. Victims included small to medium businesses across multiple regions running containerized and traditional workloads.
Created at: 2026-06-03T17:43:39.892000
Updated at: 2026-07-03T18:14:59.848000
