LATEST THREAT INTELLIGENCE.
Infrastructure of Interest: Medium Confidence Detection
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:39:42.586000
Updated at: 2026-01-05T11:29:57.492000
LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan
Description: ESET researchers have uncovered a new China-aligned APT group named LongNosedGoblin targeting governmental entities in Southeast Asia and Japan for cyberespionage. The group employs a varied custom toolset of C#/.NET applications and abuses Group Policy for lateral movement. Key tools include NosyHistorian for collecting browser history, NosyDoor backdoor using cloud services as C&C, and NosyStealer for exfiltrating browser data. The attackers also utilize techniques like AppDomainManager injection and AMSI bypassing. LongNosedGoblin has been active since at least September 2023, showing ongoing campaigns throughout 2024 and 2025. The research provides detailed analysis of the group's malware and tactics, including potential sharing of the NosyDoor backdoor among multiple China-aligned actors.
Created at: 2026-01-03T11:05:57.103000
Updated at: 2026-01-05T11:13:42.193000
MuddyWater: Snakes by the riverbank
Description: MuddyWater, an Iran-aligned cyberespionage group, has been targeting critical infrastructure in Israel and Egypt with custom malware and improved tactics. The campaign uses previously undocumented tools like the Fooder loader and MuddyViper backdoor to enhance defense evasion and persistence. Fooder masquerades as a Snake game and uses game-inspired techniques to hinder analysis. MuddyViper enables system information collection, file manipulation, and credential theft. The group also employs browser-data stealers and reverse tunneling tools. This campaign demonstrates MuddyWater's evolution towards more sophisticated and refined approaches, though traces of operational immaturity remain. The group continues to pose a significant threat, particularly to government, military, telecommunications, and critical infrastructure sectors in the Middle East.
Created at: 2026-01-03T11:05:58.696000
Updated at: 2026-01-05T11:08:33.598000
Sharpening the knife: strategic evolution of GOLD BLADE
Description: GOLD BLADE, a threat group previously focused on cyberespionage, has evolved into a hybrid operation combining data theft with selective ransomware deployment. The group has refined its intrusion methods, shifting from traditional phishing to abusing recruitment platforms for delivering weaponized resumes. Their operations follow cycles of dormancy and sudden activity bursts, introducing new tradecraft in each wave. GOLD BLADE has modified its RedLoader infection chain multiple times, implemented a Bring Your Own Vulnerable Driver approach, and developed a custom ransomware called QWCrypt. The group's targeting has narrowed to focus primarily on Canadian organizations across various sectors. Their sophisticated tactics and continual refinement demonstrate a level of operational maturity uncommon among financially motivated actors.
Created at: 2025-12-06T07:31:57.447000
Updated at: 2026-01-05T07:03:21.745000
China-nexus cyber threat groups rapidly exploit React2Shell vulnerability (CVE-2025-55182)
Description: Within hours of the public disclosure of CVE-2025-55182 (React2Shell) on December 3, 2025, Amazon threat intelligence teams observed active exploitation attempts by multiple China state-nexus threat groups, including Earth Lamia and Jackpot Panda. This critical vulnerability in React Server Components has a maximum Common Vulnerability Scoring System (CVSS) score of 10.0 and affects React versions 19.x and Next.js versions 15.x and 16.x when using App Router.
Created at: 2025-12-05T17:57:24.639000
Updated at: 2026-01-04T17:02:50.863000
Malicious VSCode Extension Launches Multi-Stage Attack Chain with Anivia Loader and OctoRAT
Description: A malicious Visual Studio Code extension named 'prettier-vscode-plus' was discovered on the official VSCode Marketplace, impersonating the legitimate Prettier formatter. This extension served as the entry point for a multi-stage malware chain, starting with the Anivia loader, which decrypted and executed further payloads in memory. The final stage, OctoRAT, is a comprehensive remote access toolkit providing over 70 commands for surveillance, file theft, remote desktop control, persistence, privilege escalation, and harassment. The attack chain employs sophisticated techniques like AES encryption, process hollowing, and UAC bypass. The threat actor's GitHub repository showed active payload rotation to evade detection. This supply-chain attack highlights the evolving threats targeting developers and the abuse of trusted tools in their ecosystem.
Created at: 2025-12-04T10:32:22.599000
Updated at: 2026-01-03T10:02:01.274000
Global Corporate Web
Description: This analysis explores the corporate structure and operations of Intellexa, a mercenary spyware vendor. It reveals new companies likely tied to Intellexa's network, particularly within a Czech cluster, and examines their roles in product shipment and potential infection vectors. The report traces Intellexa's activities across multiple countries, including new evidence of Predator spyware deployment in Iraq. It highlights the challenges in tracking such operations due to complex corporate structures and evolving techniques. The analysis also discusses broader trends in the spyware ecosystem, including geopolitical fragmentation, persistent facilitators, and expanding targeting beyond traditional victims to include corporate leaders.
Created at: 2025-12-04T08:11:30.961000
Updated at: 2026-01-03T08:02:06.051000
VVS Discord Stealer Using Pyarmor for Obfuscation and Detection Evasion
Description: VVS stealer is a Python-based malware targeting Discord users to exfiltrate sensitive information like credentials and tokens. It employs Pyarmor for obfuscation and detection evasion. The stealer's capabilities include stealing Discord data, intercepting active sessions, extracting browser data, and achieving persistence. Its code is heavily obfuscated using Pyarmor's BCC mode and AES-128-CTR encryption. The analysis reveals the stealer's ability to decrypt encrypted Discord tokens, query Discord APIs for user information, inject malicious JavaScript into the Discord application, and extract data from various web browsers. The malware also implements startup persistence and displays a fake error message to deceive victims.
Created at: 2026-01-02T13:40:42.632000
Updated at: 2026-01-02T16:15:47.853000
Operation DupeHike: Targeting Russian employees with DUPERUNNER and AdaptixC2
Description: A campaign targeting Russian corporate entities, particularly HR, payroll, and administrative departments, has been uncovered. The attack uses realistic decoy documents themed around employee bonuses and financial policies. The malware ecosystem involves a malicious LNK file leading to an implant dubbed DUPERUNNER, which then loads the AdaptixC2 Beacon to connect to the threat actor's infrastructure. The infection chain begins with a spear-phishing ZIP archive containing PDF-themed LNK files. The DUPERUNNER implant, programmed in C++, performs various functions including downloading and opening decoy PDFs, process enumeration, and shellcode injection. The final stage involves the AdaptixC2 Beacon, which communicates with the command-and-control server. The campaign, tracked as UNG0902, uses multiple malicious infrastructures and is believed to be targeting employees of various organizations.
Created at: 2025-12-03T14:29:45.022000
Updated at: 2026-01-02T14:02:11.156000
DeedRAT: Unpacking a Modern Backdoor's Playbook
Description: DeedRAT is a sophisticated backdoor associated with the Chinese APT group Salt Typhoon, targeting critical sectors globally. It infiltrates systems through phishing campaigns, utilizing DLL sideloading to evade detection. The malware establishes persistence via registry run keys and service creation, ensuring long-term access. DeedRAT's capabilities include file manipulation, system reconnaissance, and payload execution. The infection chain involves three files: a legitimate executable, a malicious DLL, and an encrypted file. Once installed, it attempts to connect to its command-and-control server. Defensive measures include monitoring email traffic, registry changes, and anomalous service creations.
Created at: 2025-12-31T22:59:16.941000
Updated at: 2026-01-02T10:57:57.003000
