LATEST THREAT INTELLIGENCE.
Unauthenticated Remote Access via Triofox Vulnerability CVE-2025-12480
Description: A critical vulnerability in Gladinet's Triofox file-sharing platform, CVE-2025-12480, allowed unauthenticated access to configuration pages, enabling arbitrary payload execution. Threat actor UNC6485 exploited this flaw as early as August 24, 2025, bypassing authentication and chaining it with anti-virus feature abuse for code execution. The vulnerability affected Triofox version 16.4.10317.56372 and was patched in version 16.7.10368.56560. Attackers created admin accounts, deployed remote access tools, conducted reconnaissance, and attempted privilege escalation. They used Zoho UEMS, Zoho Assist, and Anydesk for remote access, and set up encrypted tunnels for C2 communication. The exploit chain involved HTTP host header manipulation and abuse of the built-in anti-virus feature to execute malicious scripts.
Created at: 2025-11-10T21:58:59.342000
Updated at: 2025-12-10T21:00:25.421000
Finding Minhook in a sideloading attack – and Sweden too
Description: A threat actor campaign targeting multiple locations was observed in late 2023 and early 2024. Initially focused on the Far East, it later shifted to Sweden. The attacks used DLL sideloading techniques, employing the Minhook library to detour Windows API calls. The clean loader was obtained from infected systems rather than being part of the sideloading package. Components were signed with a compromised digital signature. The final payload was Cobalt Strike. Three sideloading scenarios were identified: MiracastView, PrintDialog, and SystemSettings. The Swedish connection revealed an installer with components from previous scenarios and the use of an expired digital signature from a Korean game developer.
Created at: 2025-05-01T14:50:09.028000
Updated at: 2025-12-10T16:02:02.751000
Infrastructure of Interest: Medium Confidence Detection
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:39:42.586000
Updated at: 2025-12-10T14:54:30.051000
Infrastructure of Interest: Medium Confidence FastFlux
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous DNS patterns, behavioral analysis of rapid IP rotation, and cross-referenced intelligence from global sinkhole data and network telemetry. The IOCs included in this pulse are associated with Fastflux networks, characterized by constantly changing IP addresses and DNS records to evade detection while maintaining resilient malicious infrastructure for phishing, malware delivery, or C2 operations. Use this data to enhance DNS-based detection rules, identify flux parent domains, and disrupt threat actor network resilience. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:34:03.778000
Updated at: 2025-12-10T14:54:10.229000
PeerBlight Linux Backdoor Exploits React2Shell CVE-2025-55182
Description: A critical vulnerability in React Server Components (CVE-2025-55182) is being exploited across various organizations. Attackers are deploying cryptominer malware, a Linux backdoor called PeerBlight, a reverse proxy tunnel named CowTunnel, and a Go-based post-exploitation implant dubbed ZinFoq. PeerBlight uses the BitTorrent DHT network as a fallback C2 mechanism. CowTunnel initiates outbound connections to attacker-controlled FRP servers. ZinFoq implements interactive shells, SOCKS5 proxying, and timestomping capabilities. A Kaiji botnet variant is also being distributed. The exploitation attempts target multiple industries and use automated tools. Immediate patching is recommended due to the ease of exploitation.
Created at: 2025-12-10T14:34:45.882000
Updated at: 2025-12-10T14:41:22.889000
AI-Poisoning & AMOS Stealer: How Trust Became the Biggest Mac Threat
Description: A sophisticated malware campaign exploits user trust in AI platforms to deliver the AMOS stealer. Attackers use SEO poisoning to surface malicious ChatGPT and Grok conversations offering 'helpful' macOS disk cleanup advice. These conversations contain Terminal commands that, when executed, deploy AMOS, a multi-stage malware that harvests credentials, escalates privileges, and establishes persistence. The attack bypasses traditional security measures by leveraging legitimate platforms and user behavior, making it particularly insidious. AMOS targets cryptocurrency wallets, browser data, and system information, exfiltrating sensitive data to attacker-controlled servers. This campaign represents a significant evolution in social engineering techniques, exploiting the growing reliance on AI assistants for technical guidance.
Created at: 2025-12-10T12:06:40.154000
Updated at: 2025-12-10T14:27:47.708000
Multi-Platform Ransomware Written in Rust
Description: A new ransomware family named 01flip, written in Rust, has been observed targeting victims in the Asia-Pacific region. The malware supports multi-platform architectures and has been used in attacks on critical infrastructure. Initial access was gained through exploitation of vulnerabilities in internet-facing applications. The ransomware encrypts files using AES-128-CBC and RSA-2048, appending the .01flip extension. It employs evasion techniques like using low-level APIs and encoding strings. A possible connection to the LockBit group was noted. The campaign appears to be in early stages, with limited victims so far. Data stolen in the attacks has been offered for sale on dark web forums.
Created at: 2025-12-10T13:06:40.979000
Updated at: 2025-12-10T14:25:46.976000
State-Sponsored Remote Wipe Tactics Targeting Android Devices
Description: A new Android remote data-wipe attack exploiting Google's Find Hub feature has been identified as part of the KONNI APT campaign. The attackers impersonated psychological counselors and human rights activists, distributing malware disguised as stress-relief programs via KakaoTalk messenger. They compromised Google accounts to track victims' locations and remotely wipe Android devices. The attack involved spear-phishing, prolonged reconnaissance, and abuse of legitimate management functions. Multiple RAT variants were deployed, including RemcosRAT, QuasarRAT, and RftRAT. The campaign utilized WordPress-based hosting and geographically distributed C2 servers to evade detection. This sophisticated attack demonstrates the evolving tactics of state-sponsored threat actors.
Created at: 2025-11-10T11:14:25.793000
Updated at: 2025-12-10T11:02:02.522000
RondoDox v2: Evolution of RondoDox Botnet with 650% More Exploits
Description: The RondoDox botnet has undergone a significant evolution, expanding its capabilities and target range. This new variant, RondoDox v2, demonstrates a 650% increase in exploitation vectors, moving beyond niche DVR targeting to include enterprise applications. Key features include over 75 exploitation vectors, new command and control infrastructure utilizing compromised residential IPs, enhanced obfuscation and persistence mechanisms, and an expanded ecosystem of targets. The botnet now employs a multi-architecture approach, supporting 16 different binary variants to maximize its reach across diverse device types.
Created at: 2025-11-10T11:06:38.967000
Updated at: 2025-12-10T11:02:02.522000
UDPGangster Campaigns Target Multiple Countries
Description: UDPGangster, a UDP-based backdoor associated with the MuddyWater threat group, has been observed targeting users in Turkey, Israel, and Azerbaijan. The malware is delivered through malicious Microsoft Word documents with embedded VBA macros, employing sophisticated anti-analysis techniques to evade detection. The campaigns use phishing emails impersonating government entities and include decoy images to distract victims. UDPGangster installs persistence, collects system information, and communicates with its command and control server using UDP. The malware supports various commands for remote execution, file extraction, and payload deployment. Analysis reveals connections to previous MuddyWater operations and shared infrastructure with other known malware.
Created at: 2025-12-10T09:44:10.318000
Updated at: 2025-12-10T10:05:15.170000
