LATEST THREAT INTELLIGENCE.
Infrastructure of Interest: Medium Confidence Detection
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:39:42.586000
Updated at: 2026-02-10T12:02:54.305000
Infrastructure of Interest: Medium Confidence InfoStealer
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with infostealer malware, designed to harvest sensitive data such as credentials, cookies, and financial information from compromised systems. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations involving data theft. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:31:55.617000
Updated at: 2026-02-10T12:01:15.885000
Infrastructure of Interest: Medium Confidence Command And Control
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with command and control (C2) infrastructure, facilitating malware communication, data exfiltration, and persistent threat actor operations. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:29:37.542000
Updated at: 2026-02-10T12:01:09.848000
Infrastructure of Interest: Medium Confidence Phishing
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with phishing campaigns, targeting credential theft and fraudulent resource access. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:20:01.253000
Updated at: 2026-02-10T12:01:08.752000
Silent Push Traffic Origin Data Combined with Residential Proxy Data Uncovers Suspicious Chinese VPN
Description: An investigation using Silent Push's Traffic Origin and residential proxy data revealed a suspicious Chinese VPN provider. The analysis focused on IP address 205.198.91.155, which showed unusual traffic from Russia, China, Myanmar, Iran, and Venezuela. This IP was linked to the domain lvcha.in, hosting a Chinese-language VPN. Further investigation uncovered nearly 50 related domains promoting the same VPN, suggesting attempts to bypass country-level firewalls. The VPN's infrastructure was found to use residential proxies and had connections to various high-risk countries. This case study demonstrates the importance of verifying physical and technical behaviors of connections to protect against fraud and state-sponsored actors using stolen identities and spoofed locations.
Created at: 2026-02-10T09:09:44.803000
Updated at: 2026-02-10T10:05:27.619000
Dissecting UAT-8099: New persistence mechanisms and regional focus
Description: UAT-8099, a threat actor targeting vulnerable IIS servers across Asia, has launched a new campaign from late 2025 to early 2026. The group's tactics have evolved, focusing on Thailand and Vietnam, and employing web shells, PowerShell scripts, and the GotoHTTP tool for remote access. New variants of BadIIS malware now include region-specific features, with separate versions targeting Vietnam and Thailand. The actor has expanded their toolkit to include utilities for log removal, file protection, and anti-rootkit capabilities. They've also adapted their persistence methods, creating hidden user accounts and leveraging legitimate tools to evade detection. The campaign demonstrates significant operational overlaps with the WEBJACK campaign, including shared malware hashes, C2 infrastructure, and victimology.
Created at: 2026-01-29T17:20:34.042000
Updated at: 2026-02-09T21:41:54.376000
Cryptocurrency Sector Targeted with New Tooling and AI-Enabled Social Engineering
Description: North Korean threat actor UNC1069 has evolved its tactics to target the cryptocurrency and decentralized finance sectors. In a recent intrusion, they deployed seven unique malware families, including new tools SILENCELIFT, DEEPBREATH, and CHROMEPUSH, designed to capture host and victim data. The attack utilized social engineering involving a compromised Telegram account, fake Zoom meeting, and reported AI-generated video. UNC1069 has shifted from spear-phishing to targeting Web3 industry entities like centralized exchanges, software developers, and venture capital firms. The intrusion demonstrated sophisticated techniques to bypass macOS security features and harvest credentials, browser data, and cryptocurrency information. This marks a significant expansion in UNC1069's capabilities and highlights their focus on financial theft and fueling future social engineering campaigns.
Created at: 2026-02-09T19:29:20.975000
Updated at: 2026-02-09T20:26:12.333000
Technical Analysis of GuLoader Obfuscation Techniques
Description: GuLoader, a malware downloader active since 2019, primarily delivers RATs and information stealers. It employs sophisticated anti-analysis techniques, including polymorphic code for dynamic constant construction and complex exception-based control flow obfuscation. The malware has evolved to handle multiple exception types, making tracing its execution flow challenging. GuLoader uses dynamic hashing, encrypted strings, and stack-based string encryption to conceal critical information. It often hosts payloads on trusted cloud services to bypass reputation-based detection. The malware's consistent development and updating of anti-analysis techniques suggest it will remain a significant threat in the future.
Created at: 2026-02-09T19:07:10.863000
Updated at: 2026-02-09T20:18:39.892000
Investigation on the EmEditor Supply Chain Cyberattack
Description: A recent supply chain attack targeting EmEditor users has been uncovered, involving watering hole tactics. The investigation reveals multiple domains masquerading as EmEditor-related sites, all registered through NameSilo LLC in December 2025. The domains resolve to various IP addresses, with some changes observed in February 2026. Additional domains with similar patterns were discovered, along with peculiar HTTP header behavior. A potential early stage of the campaign was identified, sharing similar characteristics with the initial report. The attackers continued their activities even after exposure, utilizing PowerShell scripts and various domains for command and control purposes. The analysis provides a comprehensive list of indicators, including domain names, IP addresses, and file hashes associated with the attack.
Created at: 2026-02-09T14:52:16.312000
Updated at: 2026-02-09T20:16:16.247000
Yet Another Leak of China's Contractor-Driven Cyber-Espionage Ecosystem
Description: The Knownsec leak exposes a state-aligned Chinese cyber contractor deeply integrated with national security and intelligence operations. Internal documents reveal Knownsec's role in developing offensive cyber capabilities, large-scale reconnaissance systems, and data fusion platforms for public security bureaus and military clients. Key products include ZoomEye for global IP scanning, GhostX for exploitation, and Passive Radar for covert network mapping. The leak provides unprecedented insight into Knownsec's organizational structure, personnel, and strategic targeting of foreign critical infrastructure, particularly in Taiwan and other Asian countries. It demonstrates how commercial entities like Knownsec function as core components of China's cyber-espionage ecosystem, blending state objectives with industrial-scale development of intrusion and surveillance technologies.
Created at: 2026-01-10T13:29:36.119000
Updated at: 2026-02-09T13:05:03.614000
