LATEST THREAT INTELLIGENCE.
CNCERT: Risk Warning Regarding the "Black Cat" Gang's Use of Search Engines to Spread Counterfeit Notepad++ Download Remote Control Backdoors
Description: CNCERT and Microstep Online jointly detected a cyberattack campaign launched by the "Black Cat" criminal gang. This gang uses search engine SEO (Search Engine Optimization) techniques to push meticulously crafted phishing websites to the top of search engine keyword results. After visiting these high-ranking phishing pages, users are lured by carefully designed download pages, attempting to download software installation packages bundled with malicious programs. Once installed, the program implants a backdoor Trojan without the user's knowledge, leading to the theft of sensitive data from their host computer by attackers.
Created at: 2026-01-09T10:24:39.419000
Updated at: 2026-02-08T10:02:23.915000
Threat Research: PHALT#BLYX: Fake BSODs and Trusted Build Tools
Description: The PHALT#BLYX campaign targets the hospitality sector using sophisticated social engineering and advanced techniques. It begins with a phishing email mimicking a Booking.com reservation cancellation, leading victims to a fake website. Users are tricked into executing malicious PowerShell commands through a fake BSOD and click-fix social engineering tactic. The malware leverages MSBuild.exe to bypass defenses and deploys a customized DCRat payload. It establishes persistence, disables Windows Defender, and uses process hollowing to inject into legitimate processes. The campaign shows evolution from earlier, simpler methods and demonstrates a deep understanding of modern endpoint protection. Attribution points to Russian-speaking threat actors, given the presence of Cyrillic debug strings and the use of DCRat, a popular tool in Russian underground forums.
Created at: 2026-01-09T09:47:05.226000
Updated at: 2026-02-08T09:02:20.038000
Guloader Malware Being Disguised as Employee Performance Reports
Description: ASEC discovered Guloader malware being distributed through phishing emails masquerading as employee performance reports. The emails, claiming to be about October 2025 performance, contain a RAR file with an NSIS executable named 'staff record pdf.exe'. This file is actually Guloader malware, which downloads and executes shellcode from a Google Drive URL. The final payload is Remcos RAT, enabling threat actors to perform various malicious remote control activities, including keylogging, screenshot capture, webcam and microphone control, and browser data extraction. The attackers are increasingly using legitimate platforms as C2 servers, making detection more challenging. Users are advised to exercise caution when opening emails from unknown sources and to change passwords regularly to prevent secondary damage.
Created at: 2026-01-08T18:12:08.252000
Updated at: 2026-02-07T18:00:59.149000
Reborn in Rust: MuddyWater Evolves Tooling with RustyWater Implant
Description: MuddyWater APT group has launched a spearphishing campaign targeting various sectors in the Middle East, including diplomatic, maritime, financial, and telecom entities. The campaign employs icon spoofing and malicious Word documents to deliver a Rust-based implant dubbed 'RustyWater'. This new tool represents a significant upgrade from their traditional PowerShell and VBS loaders, offering capabilities such as asynchronous C2, anti-analysis features, registry persistence, and modular post-compromise expansion. The attack chain involves a malicious email with an attached document that triggers a multi-stage process, ultimately leading to the deployment of the RustyWater implant. This evolution in MuddyWater's toolkit demonstrates their adaptation to more sophisticated, structured, and stealthy attack methods.
Created at: 2026-01-08T18:12:01.321000
Updated at: 2026-02-07T18:00:59.149000
BlueDelta Evolves Credential Harvesting
Description: Between February and September 2025, BlueDelta, a Russian state-sponsored threat group linked to the GRU, conducted multiple credential-harvesting campaigns. The group targeted individuals associated with energy research, defense cooperation, and government communication networks in Turkey, Europe, North Macedonia, and Uzbekistan. BlueDelta impersonated legitimate webmail and VPN services, using free hosting and tunneling services to host phishing content and capture user data. The campaigns incorporated PDF lures and customized JavaScript to increase authenticity and operational efficiency. This activity demonstrates BlueDelta's continued focus on low-cost, high-yield methods for collecting information supporting Russian intelligence objectives.
Created at: 2026-01-08T11:41:07.032000
Updated at: 2026-02-07T12:01:06.539000
Knife Cutting the Edge: Disclosing a China-nexus gateway-monitoring AitM framework
Description: Cisco Talos uncovered 'DKnife', a sophisticated gateway-monitoring and adversary-in-the-middle (AitM) framework comprising seven Linux-based implants. Used since 2019, DKnife performs deep-packet inspection, traffic manipulation, and malware delivery via routers and edge devices. It targets various devices, including PCs, mobile devices, and IoT, delivering ShadowPad and DarkNimbus backdoors. The framework primarily targets Chinese-speaking users, with evidence suggesting China-nexus threat actors as operators. DKnife's capabilities include DNS hijacking, Android application update hijacking, Windows binary hijacking, anti-virus traffic disruption, and user activity monitoring. A link to the WizardNet campaign was also discovered, indicating a shared development or operational lineage.
Created at: 2026-02-05T20:16:27.292000
Updated at: 2026-02-06T16:18:47.684000
Infrastructure of Interest: Medium Confidence Detection
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:39:42.586000
Updated at: 2026-02-06T14:44:34.797000
Infrastructure of Interest: Medium Confidence FastFlux
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous DNS patterns, behavioral analysis of rapid IP rotation, and cross-referenced intelligence from global sinkhole data and network telemetry. The IOCs included in this pulse are associated with Fastflux networks, characterized by constantly changing IP addresses and DNS records to evade detection while maintaining resilient malicious infrastructure for phishing, malware delivery, or C2 operations. Use this data to enhance DNS-based detection rules, identify flux parent domains, and disrupt threat actor network resilience. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:34:03.778000
Updated at: 2026-02-06T14:42:37.178000
Infrastructure of Interest: Medium Confidence Command And Control
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with command and control (C2) infrastructure, facilitating malware communication, data exfiltration, and persistent threat actor operations. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:29:37.542000
Updated at: 2026-02-06T14:42:26.164000
Phishing actors exploiting complex routing scenarios and misconfigured spoof protections
Description: Threat actors are leveraging complex routing scenarios and misconfigured spoof protections to send phishing emails that appear to be internal communications. These attacks, which have increased since May 2025, use various lures like voicemails, shared documents, and password resets to conduct credential phishing and financial scams. The campaigns, often using PhaaS platforms like Tycoon2FA, are opportunistic and target multiple industries. While Microsoft detects most attempts, organizations can further mitigate risks by properly configuring spoof protections and third-party connectors. The attacks do not affect customers whose Microsoft Exchange MX records point to Office 365, as they are protected by built-in spoofing detections.
Created at: 2026-01-07T11:34:32.218000
Updated at: 2026-02-06T11:02:05.852000
