LATEST THREAT INTELLIGENCE.
Attackers Weaponize RMM Tools via Zoom, Meet, & Teams Lures
Description: Netskope Threat Labs has identified multiple phishing campaigns exploiting video conference invitations from Zoom, Microsoft Teams, and Google Meet. The attackers use fake meeting invites to trick users into downloading malicious payloads disguised as software updates. These payloads are actually legitimate, digitally signed remote monitoring and management (RMM) tools like Datto RMM, LogMeIn, or ScreenConnect. By leveraging these tools, attackers gain administrative remote access to victims' machines, potentially leading to data theft or further malware deployment. The campaigns use convincing phishing pages that mimic legitimate video conferencing platforms, exploiting users' urgency to join scheduled calls. This sophisticated approach allows attackers to bypass traditional security measures and establish a persistent foothold in corporate networks.
Created at: 2026-02-13T09:23:27.285000
Updated at: 2026-02-13T12:35:29.423000
Multiple Threat Actors Rapidly Exploit React2Shell: A Case Study of Active Compromise
Description: A critical vulnerability in React Server Components, dubbed React2Shell, was disclosed on December 3, 2025. Within days, multiple threat actors exploited this flaw, leading to simultaneous compromises of affected systems. The case study reveals a rapid progression from initial coin miner installations to the deployment of various malware types, including RATs and backdoors. The timeline shows attacks beginning on December 5, with website defacement occurring by December 7. Notably, the incident involved the use of SNOWLIGHT, HISONIC backdoor, CrossC2 RAT, and the abuse of Global Socket tool. The study emphasizes the speed at which attackers exploit new vulnerabilities and the importance of swift patching and thorough post-compromise investigations.
Created at: 2026-02-13T09:23:25.466000
Updated at: 2026-02-13T12:27:17.741000
LockBit strikes with new 5.0 version, targeting Windows, Linux and ESXI systems
Description: LockBit 5.0, the latest version of the notorious ransomware, has been released with support for Windows, Linux, and ESXi systems. This update brings improved defense evasion, faster encryption, and enhanced modularity. The Windows variant employs extensive anti-analysis techniques, while Linux and ESXi versions remain unpacked. All variants share a common encryption scheme using XChaCha20 and Curve25519. LockBit 5.0 demonstrates a focus on enterprise and infrastructure targets, including explicit support for Proxmox virtualization. The group's data leak site reveals a primary focus on the U.S. business sector, with victims spanning various industries. LockBit's infrastructure has shown connections to SmokeLoader, suggesting possible cooperation or infrastructure reuse among malware operators.
Created at: 2026-02-12T15:08:39.458000
Updated at: 2026-02-12T21:50:43.087000
ScreenConnect Attack: SmartScreen Bypass and RMM Abuse
Description: An attack campaign targeting organizations in the US, Canada, UK, and Northern Ireland exploits ConnectWise ScreenConnect vulnerabilities. The attack chain begins with a spoofed email containing a malicious .cmd attachment, which executes silently, escalates privileges, disables Windows SmartScreen, and removes the Mark-of-the-Web. It then installs a legitimate Remote Monitoring and Management tool, ScreenConnect, which is abused as a Remote Access Trojan for persistent command-and-control access. The campaign focuses on sectors with high-value data, including government, healthcare, and logistics. The attackers use various techniques to evade detection, including UAC bypass, registry modification, and silent MSI installation. The ScreenConnect client used has a revoked certificate, highlighting the importance of blocking vulnerable software versions and enforcing strict RMM allowlists.
Created at: 2026-02-12T10:39:02.464000
Updated at: 2026-02-12T21:50:13.127000
Employee Monitoring and SimpleHelp Software Abused in Ransomware Operations
Description: Threat actors have been observed exploiting Net Monitor for Employees Professional and SimpleHelp software in ransomware operations. These legitimate tools were used for remote access, command execution, and persistence. The attackers disguised Net Monitor as Microsoft OneDrive and configured SimpleHelp with cryptocurrency-related keyword triggers. In one case, the attack led to an attempted deployment of Crazy ransomware. The intrusions involved initial access through compromised VPN accounts, followed by the installation of these tools for remote control and monitoring. The shared infrastructure and tactics suggest a single threat actor or group behind these activities, with objectives including cryptocurrency theft and ransomware deployment.
Created at: 2026-02-12T10:39:00.609000
Updated at: 2026-02-12T21:48:11.976000
Booking.com Phishing Campaign Targeting Hotels and Customers
Description: A sophisticated phishing campaign targeting the hospitality industry has been uncovered, compromising hotel administrators' Booking.com accounts to defraud customers. The attack chain begins with spear-phishing emails impersonating Booking.com, leading to malware infection via the ClickFix social engineering tactic. The malware, identified as PureRAT, allows attackers to steal credentials and access booking platforms. Compromised accounts are then used to send fraudulent messages to hotel guests, tricking them into paying for their reservations a second time. The cybercrime ecosystem supporting these attacks includes services for harvesting hotel administrator contacts, distributing phishing emails, and trading stolen Booking.com account credentials on underground forums.
Created at: 2026-01-13T19:46:56.899000
Updated at: 2026-02-12T19:04:25.334000
SHADOW#REACTOR – Text-Only Staging, .NET Reactor, and In-Memory Remcos RAT Deployments
Description: This analysis examines a multi-stage Windows malware campaign called SHADOW#REACTOR. The infection chain uses obfuscated VBS, PowerShell downloaders, and text-based payloads to deliver a Remcos RAT backdoor. Key features include fragmented text staging, .NET Reactor protection, reflective loading, and MSBuild abuse as a living-off-the-land binary. The campaign leverages complex obfuscation and in-memory execution to evade detection while establishing persistent remote access. Defensive recommendations focus on script execution monitoring, LOLBin abuse detection, and enhanced PowerShell logging to counter the sophisticated evasion techniques employed.
Created at: 2026-01-13T16:17:00.431000
Updated at: 2026-02-12T16:01:29.518000
UNC1069 Targets Cryptocurrency Sector with New Tooling and AI-Enabled Social Engineering
Description: North Korean threat actor UNC1069 has evolved its tactics to target the cryptocurrency and decentralized finance sectors. In a recent intrusion, they deployed seven unique malware families, including new tools SILENCELIFT, DEEPBREATH, and CHROMEPUSH, designed to capture host and victim data. The attack utilized social engineering involving a compromised Telegram account, fake Zoom meeting, and reported AI-generated video. UNC1069 has shifted from spear-phishing to targeting Web3 industry entities like centralized exchanges, software developers, and venture capital firms. The intrusion demonstrated sophisticated techniques to bypass macOS security features and harvest credentials, browser data, and cryptocurrency information. This marks a significant expansion in UNC1069's capabilities and highlights their focus on financial theft and fueling future social engineering campaigns.
Created at: 2026-02-09T19:29:20.975000
Updated at: 2026-02-12T14:41:53.254000
Infrastructure of Interest: Medium Confidence InfoStealer
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with infostealer malware, designed to harvest sensitive data such as credentials, cookies, and financial information from compromised systems. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations involving data theft. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:31:55.617000
Updated at: 2026-02-12T14:19:12.987000
Nation-State Actors Exploit Notepad++ Supply Chain
Description: Between June and December 2025, state-sponsored threat group Lotus Blossom compromised the hosting infrastructure for Notepad++, allowing them to intercept and redirect update traffic. This enabled selective targeting of users primarily in Southeast Asian government, telecommunications and critical infrastructure sectors. Two infection chains were identified - one using Lua script injection to deliver Cobalt Strike and another using DLL side-loading for a Chrysalis backdoor. The campaign affected additional sectors across South America, US, Europe and Southeast Asia including cloud hosting, energy, financial, government, manufacturing and software development. The attack exploited insufficient verification in older versions of the Notepad++ updater to serve malicious installers to targeted victims.
Created at: 2026-02-12T01:20:03.195000
Updated at: 2026-02-12T09:33:55.958000
