LATEST THREAT INTELLIGENCE.
Gamaredon X Turla collaboration
Description: ESET researchers uncovered collaboration between two notorious APT groups, Gamaredon and Turla, both associated with Russia's FSB. The groups were observed working together to compromise high-profile targets in Ukraine. Evidence shows Gamaredon tools being used to restart and deploy Turla's Kazuar backdoor on specific machines. This cooperation indicates a strategic alignment between different FSB units, with Gamaredon likely providing initial access for Turla's more sophisticated operations. The collaboration was detected through multiple attack chains involving various malware tools from both groups. This discovery highlights the evolving tactics of Russian cyber espionage efforts, particularly in the context of the ongoing conflict in Ukraine.
Created at: 2025-09-19T13:58:19.016000
Updated at: 2025-10-19T13:02:47.891000
CountLoader: New Malware Loader Being Served in 3 Different Versions
Description: A new malware loader named CountLoader has been identified, strongly associated with Russian ransomware gangs. It comes in three versions: .NET, PowerShell, and JScript. The threat is believed to be part of an Initial Access Broker's toolset or used by a ransomware affiliate linked to LockBit, BlackBasta, and Qilin groups. CountLoader was recently employed in a phishing campaign targeting Ukrainian citizens, impersonating the Ukrainian police. The loader attempts to connect to multiple C2 servers, downloads and executes various malware payloads, and uses advanced techniques to evade detection. It has been observed dropping CobaltStrike and AdaptixC2, among other malicious tools. The malware's functionality includes system information gathering, persistence mechanisms, and multiple download methods.
Created at: 2025-09-19T08:57:24.237000
Updated at: 2025-10-19T10:01:53.290000
Deepens Its Playbook with New Websites and Targets
Description: CopyCop, a Russian covert influence network, has significantly expanded its operations since March 2025, creating over 300 new fictional media websites targeting various countries. The network, likely operated by John Mark Dougan with support from Russian entities, aims to undermine support for Ukraine and exacerbate political fragmentation in Western countries. CopyCop's tactics include using deepfakes, AI-generated content, and impersonating media outlets to spread pro-Russian narratives. The network has widened its target languages and geographical scope, now including Turkey, Ukraine, Swahili-speaking regions, Moldova, Canada, and Armenia. While its core objectives remain unchanged, CopyCop has made marginal improvements to increase its reach, resilience, and credibility, including the use of self-hosted large language models for content generation.
Created at: 2025-09-18T03:21:10.905000
Updated at: 2025-10-18T03:00:19.916000
Malicious PyPI Packages Deliver SilentSync RAT
Description: Two malicious Python packages, sisaws and secmeasure, were discovered in the Python Package Index (PyPI) repository. These packages, created by the same author, deliver a Remote Access Trojan (RAT) called SilentSync. The RAT is capable of remote command execution, file exfiltration, screen capturing, and web browser data theft. It targets Windows systems and communicates with a command-and-control server using HTTP. The packages employ typosquatting and imitate legitimate modules to deceive users. SilentSync achieves persistence through platform-specific techniques and supports various commands for data exfiltration and system control. This discovery highlights the growing risk of supply chain attacks within public software repositories.
Created at: 2025-09-18T01:15:37.717000
Updated at: 2025-10-18T01:03:47.610000
Infrastructure of Interest: Medium Confidence Detection
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:39:42.586000
Updated at: 2025-10-17T16:05:37.515000
Infrastructure of Interest: Medium Confidence InfoStealer
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with infostealer malware, designed to harvest sensitive data such as credentials, cookies, and financial information from compromised systems. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations involving data theft. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:31:55.617000
Updated at: 2025-10-17T16:05:05.095000
Infrastructure of Interest: Medium Confidence Command And Control
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with command and control (C2) infrastructure, facilitating malware communication, data exfiltration, and persistent threat actor operations. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:29:37.542000
Updated at: 2025-10-17T16:05:01.850000
Infrastructure of Interest: Medium Confidence Phishing
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with phishing campaigns, targeting credential theft and fraudulent resource access. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:20:01.253000
Updated at: 2025-10-17T16:04:59.364000
CAPI Backdoor: .NET Stealer Targeting Russian Auto-Commerce
Description: A spear-phishing campaign targeting the Russian Automobile-Commerce industry using a malicious.NET implant has been uncovered by Seqrite Labs Research Team and is now being investigated by the FBI.
Created at: 2025-10-17T15:59:18.678000
Updated at: 2025-10-17T15:59:18.678000
Hidden links: why your website traffic is declining
Description: The article discusses the issue of hidden links in websites, a Black Hat SEO technique used to manipulate search engine rankings. It explains how attackers inject invisible HTML blocks containing links to unrelated, often adult or gambling websites. These hidden links can harm a website's reputation, lower its search rankings, and potentially lead to legal issues. The article describes various methods attackers use to place these links, including exploiting vulnerabilities in content management systems and compromising administrator accounts. It also provides guidance on how to detect hidden links and protect websites from such attacks, emphasizing the importance of using licensed solutions, keeping software updated, and implementing strong security measures.
Created at: 2025-10-17T11:53:06.441000
Updated at: 2025-10-17T15:52:40.952000
