LATEST THREAT INTELLIGENCE.
Operation Silk Lure: Scheduled Tasks Weaponized for DLL Side-Loading (drops ValleyRAT)
Description: A sophisticated cyber campaign targeting Chinese individuals in the FinTech, cryptocurrency exchange, and trading platform sectors has been uncovered. The operation uses spear-phishing emails with malicious .LNK files embedded in fake resumes. When executed, these files initiate a multi-stage infection process, ultimately deploying ValleyRAT malware. The malware establishes persistence through scheduled tasks, performs system reconnaissance, and exfiltrates sensitive data. The campaign's infrastructure is primarily hosted in Hong Kong, with multiple domains using the .work TLD to impersonate job portals. The attackers employ various techniques to evade detection, including anti-VM checks and attempts to disable antivirus software.
Created at: 2025-10-16T11:41:46.654000
Updated at: 2025-11-15T11:00:00.705000
Maverick: a new banking trojan abusing WhatsApp in a massive scale distribution
Description: A new banking Trojan named Maverick has emerged, targeting Brazilian users through a massive WhatsApp distribution campaign. The infection chain begins with a malicious LNK file sent via WhatsApp, leading to a complex, fileless infection process. Maverick uses the WPPConnect project to automate message sending from hijacked accounts, spreading the malware further. The Trojan monitors 26 Brazilian bank websites, 6 cryptocurrency exchanges, and 1 payment platform, aiming to capture banking credentials. It employs advanced evasion techniques, including AI-assisted code development, and shares similarities with the Coyote banking Trojan. The campaign's impact is significant due to its worm-like nature and exploitation of a popular messaging platform.
Created at: 2025-10-15T17:01:44.648000
Updated at: 2025-11-14T17:02:12.746000
Contagious Interview Actors Now Utilize JSON Storage Services for Malware Delivery
Description: The Contagious Interview campaign, linked to North Korean actors, has evolved to use JSON storage services for hosting and delivering malware. This campaign targets software developers, particularly those in cryptocurrency and Web3 projects, across Windows, Linux, and macOS. The attackers use social engineering tactics, including fake recruiter profiles, to deliver trojanized code during staged job interviews. The malware payload includes BeaverTail and OtterCookie infostealers, along with the InvisibleFerret RAT. The attack chain involves multiple stages, from initial contact to malware delivery, utilizing legitimate websites like JSON Keeper and code repositories to operate stealthily. The campaign also incorporates additional components such as the Tsunami Payload, which adds exceptions to Windows Defender and creates scheduled tasks.
Created at: 2025-11-14T12:25:53.286000
Updated at: 2025-11-14T12:28:12.968000
Infrastructure of Interest: Medium Confidence Command And Control
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with command and control (C2) infrastructure, facilitating malware communication, data exfiltration, and persistent threat actor operations. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:29:37.542000
Updated at: 2025-11-14T12:26:51.666000
Analysis of Encryption Structure of Yurei Ransomware Go-based Builder
Description: The Yurei ransomware group, first identified in September 2025, employs a typical ransomware operation model targeting corporate networks. Their attacks have affected Sri Lanka and Nigeria, focusing on transportation, IT, marketing, and food industries. The ransomware, developed in Go, uses ChaCha20-Poly1305 for file encryption and secp256k1-ECIES for key protection. It excludes specific directories, extensions, and files from encryption to maintain system functionality. The encryption process generates a unique key and nonce for each file, ensuring only the threat actor can decrypt the data. The ransom note threatens data leaks and regulatory notifications if demands are not met within five days.
Created at: 2025-11-14T12:16:01.354000
Updated at: 2025-11-14T12:23:15.664000
DarkComet RAT Malware Hidden Inside Fake Bitcoin Tool
Description: A malware analysis reveals the reemergence of DarkComet RAT disguised as a Bitcoin-related application. The malware, packed with UPX to evade detection, is distributed as a RAR archive containing an executable file. Once unpacked, it installs itself as 'explorer.exe' in the user's AppData folder and creates a registry run key for persistence. The RAT's configuration shows its command and control server as 'kvejo991.ddns.net' on port 1604. It employs keylogging, storing captured keystrokes in a 'dclogs' folder. The malware's process behavior includes spawning multiple cmd.exe and conhost.exe processes, and injecting its payload into notepad.exe for stealth. Despite its age, DarkComet remains a potent threat, especially when combined with cryptocurrency lures.
Created at: 2025-11-14T12:09:29.596000
Updated at: 2025-11-14T12:23:09.852000
NovaStealer - Apple Intelligence is leaving a plist.. it is legit, right?
Description: A cryptostealer for macOS utilizes a bash-based script to establish persistence and execute malicious modules. The malware installs itself in the ~/.mdrivers directory, uses screen sessions for background execution, and employs a LaunchAgent for persistence. It exfiltrates crypto wallet data, collects system information, and replaces legitimate wallet applications with malicious versions. The threat actor employs clever techniques like using WebKit to render phishing pages and tracking user behavior. While not highly sophisticated, the modular nature and ability to update components remotely make it a noteworthy threat.
Created at: 2025-11-14T12:04:55.537000
Updated at: 2025-11-14T12:23:04.242000
Increase in Lumma Stealer Activity Coincides with Use of Adaptive Browser Fingerprinting Tactics
Description: Trend Research observed a resurgence in Lumma Stealer activity since October 20, 2025, accompanied by new behaviors and C&C techniques. The malware now employs browser fingerprinting as part of its command-and-control tactics, collecting and exfiltrating system, network, hardware, and browser data using JavaScript payloads and stealthy HTTP communications. These new behaviors enable Lumma Stealer to maintain operational continuity, assess victim environments, and evade detection. The malware continues to use process injection techniques and maintains its core C&C communication structure while incorporating new fingerprinting capabilities. This hybrid approach serves multiple strategic purposes, including enhanced evasion, improved targeting, and detection avoidance.
Created at: 2025-11-14T02:36:37.571000
Updated at: 2025-11-14T11:37:14.155000
Hurricane Melissa Relief Scams: How Criminals Exploit Disaster
Description: In the aftermath of Hurricane Melissa's devastating impact on Jamaica in October 2025, cybercriminals swiftly exploited the crisis through various online scams. These included phishing campaigns, fake charity drives, and fraudulent financial-relief websites impersonating legitimate aid organizations. The scams targeted people's compassion and urgency, often launching within hours of the disaster. A notable example was a cryptocurrency donation site with multiple tiers, using static images and fake transaction data to appear legitimate. Multiple fraudulent domains were detected, many soliciting cryptocurrency donations. These scams not only defraud individuals but also erode public trust in digital charity infrastructure, highlighting the need for awareness, verification, and collaboration between cybersecurity firms, governments, and relief organizations to combat such threats.
Created at: 2025-11-14T02:36:40.314000
Updated at: 2025-11-14T11:26:54.369000
The terrible, horrible, no good, very bad day
Description: On February 24, 2022, a cyberattack targeted Viasat's KA-SAT satellite network, exploiting a VPN vulnerability to access management systems. The attackers deployed AcidRain wiper malware, disrupting satellite communications for thousands of users in Ukraine and affecting 5,800 wind turbines in Germany. The attack, occurring just before Russia's invasion of Ukraine, showed similarities to the VPNFilter malware. While destructive, it was relatively minor compared to other infrastructure attacks on Ukraine. The incident highlights the ongoing challenges in satellite cybersecurity and the importance of robust defenses against evolving threats.
Created at: 2025-11-13T23:20:41.099000
Updated at: 2025-11-14T11:25:46.990000
