LATEST THREAT INTELLIGENCE.
CAPI Backdoor: .NET Stealer Targeting Russian Auto-Commerce
Description: A spear-phishing campaign targeting the Russian Automobile-Commerce industry using a malicious.NET implant has been uncovered by Seqrite Labs Research Team and is now being investigated by the FBI.
Created at: 2025-10-17T15:59:18.678000
Updated at: 2025-11-16T15:02:53.735000
New Group on the Block: UNC5142 Leverages EtherHiding to Distribute Malware
Description: UNC5142, a financially motivated threat actor, has been tracked since late 2023 for abusing blockchain technology to distribute infostealers. The group exploits vulnerable WordPress sites and employs the 'EtherHiding' technique to obscure malicious code on the BNB Smart Chain. Their infection chain involves a multistage JavaScript downloader called CLEARSHORT, compromised WordPress sites, and smart contracts. UNC5142 has evolved its tactics, using a three-level smart contract system for dynamic payload delivery and abusing legitimate services like Cloudflare Pages. The group has distributed various infostealers, including ATOMIC, VIDAR, LUMMAC.V2, and RADTHIEF. Their operations have impacted multiple industries and geographic regions, with approximately 14,000 compromised web pages identified as of June 2025.
Created at: 2025-10-16T17:53:02.346000
Updated at: 2025-11-15T17:00:02.086000
Odyssey Stealer & AMOS Hit macOS Developers with Fake Homebrew Sites
Description: A sophisticated campaign targeting macOS developers has been uncovered, utilizing fake websites impersonating trusted platforms like Homebrew, TradingView, and LogMeIn to distribute Odyssey Stealer and AMOS malware. The attackers employ social engineering tactics, prompting users to paste base64-encoded commands in Terminal, which downloads malicious payloads. Over 85 phishing domains were identified, linked through shared SSL certificates and infrastructure. The campaign's infrastructure includes long-standing IP addresses showing multi-year activity. The malware attempts privilege escalation, performs anti-analysis checks, and disrupts backup services. This coordinated operation demonstrates the attackers' ability to adapt tactics and maintain persistence in the macOS ecosystem.
Created at: 2025-10-16T17:53:01.412000
Updated at: 2025-11-15T17:00:02.086000
Operation Silk Lure: Scheduled Tasks Weaponized for DLL Side-Loading (drops ValleyRAT)
Description: A sophisticated cyber campaign targeting Chinese individuals in the FinTech, cryptocurrency exchange, and trading platform sectors has been uncovered. The operation uses spear-phishing emails with malicious .LNK files embedded in fake resumes. When executed, these files initiate a multi-stage infection process, ultimately deploying ValleyRAT malware. The malware establishes persistence through scheduled tasks, performs system reconnaissance, and exfiltrates sensitive data. The campaign's infrastructure is primarily hosted in Hong Kong, with multiple domains using the .work TLD to impersonate job portals. The attackers employ various techniques to evade detection, including anti-VM checks and attempts to disable antivirus software.
Created at: 2025-10-16T11:41:46.654000
Updated at: 2025-11-15T11:00:00.705000
Maverick: a new banking trojan abusing WhatsApp in a massive scale distribution
Description: A new banking Trojan named Maverick has emerged, targeting Brazilian users through a massive WhatsApp distribution campaign. The infection chain begins with a malicious LNK file sent via WhatsApp, leading to a complex, fileless infection process. Maverick uses the WPPConnect project to automate message sending from hijacked accounts, spreading the malware further. The Trojan monitors 26 Brazilian bank websites, 6 cryptocurrency exchanges, and 1 payment platform, aiming to capture banking credentials. It employs advanced evasion techniques, including AI-assisted code development, and shares similarities with the Coyote banking Trojan. The campaign's impact is significant due to its worm-like nature and exploitation of a popular messaging platform.
Created at: 2025-10-15T17:01:44.648000
Updated at: 2025-11-14T17:02:12.746000
Contagious Interview Actors Now Utilize JSON Storage Services for Malware Delivery
Description: The Contagious Interview campaign, linked to North Korean actors, has evolved to use JSON storage services for hosting and delivering malware. This campaign targets software developers, particularly those in cryptocurrency and Web3 projects, across Windows, Linux, and macOS. The attackers use social engineering tactics, including fake recruiter profiles, to deliver trojanized code during staged job interviews. The malware payload includes BeaverTail and OtterCookie infostealers, along with the InvisibleFerret RAT. The attack chain involves multiple stages, from initial contact to malware delivery, utilizing legitimate websites like JSON Keeper and code repositories to operate stealthily. The campaign also incorporates additional components such as the Tsunami Payload, which adds exceptions to Windows Defender and creates scheduled tasks.
Created at: 2025-11-14T12:25:53.286000
Updated at: 2025-11-14T12:28:12.968000
Infrastructure of Interest: Medium Confidence Command And Control
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with command and control (C2) infrastructure, facilitating malware communication, data exfiltration, and persistent threat actor operations. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:29:37.542000
Updated at: 2025-11-14T12:26:51.666000
Analysis of Encryption Structure of Yurei Ransomware Go-based Builder
Description: The Yurei ransomware group, first identified in September 2025, employs a typical ransomware operation model targeting corporate networks. Their attacks have affected Sri Lanka and Nigeria, focusing on transportation, IT, marketing, and food industries. The ransomware, developed in Go, uses ChaCha20-Poly1305 for file encryption and secp256k1-ECIES for key protection. It excludes specific directories, extensions, and files from encryption to maintain system functionality. The encryption process generates a unique key and nonce for each file, ensuring only the threat actor can decrypt the data. The ransom note threatens data leaks and regulatory notifications if demands are not met within five days.
Created at: 2025-11-14T12:16:01.354000
Updated at: 2025-11-14T12:23:15.664000
DarkComet RAT Malware Hidden Inside Fake Bitcoin Tool
Description: A malware analysis reveals the reemergence of DarkComet RAT disguised as a Bitcoin-related application. The malware, packed with UPX to evade detection, is distributed as a RAR archive containing an executable file. Once unpacked, it installs itself as 'explorer.exe' in the user's AppData folder and creates a registry run key for persistence. The RAT's configuration shows its command and control server as 'kvejo991.ddns.net' on port 1604. It employs keylogging, storing captured keystrokes in a 'dclogs' folder. The malware's process behavior includes spawning multiple cmd.exe and conhost.exe processes, and injecting its payload into notepad.exe for stealth. Despite its age, DarkComet remains a potent threat, especially when combined with cryptocurrency lures.
Created at: 2025-11-14T12:09:29.596000
Updated at: 2025-11-14T12:23:09.852000
NovaStealer - Apple Intelligence is leaving a plist.. it is legit, right?
Description: A cryptostealer for macOS utilizes a bash-based script to establish persistence and execute malicious modules. The malware installs itself in the ~/.mdrivers directory, uses screen sessions for background execution, and employs a LaunchAgent for persistence. It exfiltrates crypto wallet data, collects system information, and replaces legitimate wallet applications with malicious versions. The threat actor employs clever techniques like using WebKit to render phishing pages and tracking user behavior. While not highly sophisticated, the modular nature and ability to update components remotely make it a noteworthy threat.
Created at: 2025-11-14T12:04:55.537000
Updated at: 2025-11-14T12:23:04.242000
