LATEST THREAT INTELLIGENCE.
CastleLoader Malware Analysis: Full Execution Breakdown
Description: CastleLoader is a sophisticated malware loader designed to deliver and install malicious components, primarily targeting government entities and critical infrastructure. It employs a multi-stage execution chain involving Inno Setup, AutoIt, and process hollowing to evade detection. The loader delivers information stealers and RATs, enabling credential theft and persistent access. The analysis reveals its stealthy nature, relying on memory-only payloads and API resolution via hashing. The malware's configuration, including C2 infrastructure, was extracted through reverse engineering, providing high-confidence indicators of compromise for detection and analysis.
Created at: 2026-01-15T15:37:01.484000
Updated at: 2026-02-14T15:03:38.981000
Hunting Lazarus: Inside the Contagious Interview C2 Infrastructure
Description: A North Korean malware was discovered in an Upwork cryptocurrency project, leading to a five-day investigation into active Lazarus Group infrastructure. The malware utilized three infection mechanisms: VSCode auto-execution, backend RCE via Function Constructor, and cookie payload delivery. The infrastructure included Vercel-hosted Stage 1 C2 servers and dedicated Stage 2 C2 servers. A timing oracle allowed for token enumeration, revealing three active campaigns. The payload chain consisted of various modules for data extraction, RAT functionality, and cryptocurrency mining. The investigation uncovered sophisticated persistence mechanisms, masquerading techniques, and a custom binary protocol. Real-time defensive responses from the operators were observed during reconnaissance. The infrastructure blended legitimate-looking development projects with malicious activities for cover.
Created at: 2026-01-15T15:25:29.312000
Updated at: 2026-02-14T15:03:38.981000
Command & Evade: Turla's Kazuar v3 Loader
Description: Turla's Kazuar v3 loader employs sophisticated techniques to evade detection. It uses a VBScript to drop files and execute a native loader, which bypasses security measures and leverages COM for stealth. The loader utilizes control flow redirection, patchless ETW and AMSI bypasses, and COM integration to decrypt and execute three Kazuar v3 payloads (KERNEL, WORKER, BRIDGE) in memory. The attack chain is designed to be resilient and stealthy, exploiting trusted system processes to avoid detection. The malware uses modular architecture and COM subsystem integration to maintain a low profile while carrying out its malicious activities.
Created at: 2026-01-15T15:21:06.309000
Updated at: 2026-02-14T15:03:38.981000
Targeted espionage leveraging geopolitical themes
Description: A targeted malware campaign against U.S. government entities has been observed, utilizing a politically themed ZIP archive containing a loader executable and a malicious DLL. The DLL functions as a backdoor named LOTUSLITE, communicating with a hard-coded command-and-control server. The campaign demonstrates minimal technical sophistication but shows deliberate victim selection and use of geopolitical lures. Attribution analysis suggests moderate-confidence overlap with Mustang Panda tradecraft, including delivery style, loader-DLL separation, and infrastructure usage. The backdoor supports basic remote tasking and data exfiltration, indicating an espionage-focused capability. This activity reflects a trend of targeted spear phishing using geopolitical themes and reliable execution techniques like DLL sideloading.
Created at: 2026-01-15T12:03:35.838000
Updated at: 2026-02-14T12:08:47.421000
Inside China's Hosting Ecosystem: 18,000+ Malware C2 Servers Mapped Across Major ISPs
Description: An analysis of Chinese hosting environments reveals over 18,000 active command-and-control (C2) servers distributed across 48 infrastructure providers. C2 infrastructure dominates malicious activity at 84%, followed by phishing at 13%. China Unicom hosts nearly half of all observed C2 servers, with Alibaba Cloud and Tencent following. A small set of malware families, including Mozi, ARL, and Cobalt Strike, accounts for most C2 activity. The infrastructure supports both cybercrime and state-linked operations, with RATs, cryptominers, and APT tooling coexisting. High-trust networks like China169 Backbone and CERNET are actively exploited. This host-centric approach exposes long-running abuse patterns and infrastructure reuse across campaigns, enabling more resilient threat detection and mitigation strategies.
Created at: 2026-01-15T12:03:35.411000
Updated at: 2026-02-14T12:08:47.421000
Attackers Weaponize RMM Tools via Zoom, Meet, & Teams Lures
Description: Netskope Threat Labs has identified multiple phishing campaigns exploiting video conference invitations from Zoom, Microsoft Teams, and Google Meet. The attackers use fake meeting invites to trick users into downloading malicious payloads disguised as software updates. These payloads are actually legitimate, digitally signed remote monitoring and management (RMM) tools like Datto RMM, LogMeIn, or ScreenConnect. By leveraging these tools, attackers gain administrative remote access to victims' machines, potentially leading to data theft or further malware deployment. The campaigns use convincing phishing pages that mimic legitimate video conferencing platforms, exploiting users' urgency to join scheduled calls. This sophisticated approach allows attackers to bypass traditional security measures and establish a persistent foothold in corporate networks.
Created at: 2026-02-13T09:23:27.285000
Updated at: 2026-02-13T12:35:29.423000
Multiple Threat Actors Rapidly Exploit React2Shell: A Case Study of Active Compromise
Description: A critical vulnerability in React Server Components, dubbed React2Shell, was disclosed on December 3, 2025. Within days, multiple threat actors exploited this flaw, leading to simultaneous compromises of affected systems. The case study reveals a rapid progression from initial coin miner installations to the deployment of various malware types, including RATs and backdoors. The timeline shows attacks beginning on December 5, with website defacement occurring by December 7. Notably, the incident involved the use of SNOWLIGHT, HISONIC backdoor, CrossC2 RAT, and the abuse of Global Socket tool. The study emphasizes the speed at which attackers exploit new vulnerabilities and the importance of swift patching and thorough post-compromise investigations.
Created at: 2026-02-13T09:23:25.466000
Updated at: 2026-02-13T12:27:17.741000
LockBit strikes with new 5.0 version, targeting Windows, Linux and ESXI systems
Description: LockBit 5.0, the latest version of the notorious ransomware, has been released with support for Windows, Linux, and ESXi systems. This update brings improved defense evasion, faster encryption, and enhanced modularity. The Windows variant employs extensive anti-analysis techniques, while Linux and ESXi versions remain unpacked. All variants share a common encryption scheme using XChaCha20 and Curve25519. LockBit 5.0 demonstrates a focus on enterprise and infrastructure targets, including explicit support for Proxmox virtualization. The group's data leak site reveals a primary focus on the U.S. business sector, with victims spanning various industries. LockBit's infrastructure has shown connections to SmokeLoader, suggesting possible cooperation or infrastructure reuse among malware operators.
Created at: 2026-02-12T15:08:39.458000
Updated at: 2026-02-12T21:50:43.087000
ScreenConnect Attack: SmartScreen Bypass and RMM Abuse
Description: An attack campaign targeting organizations in the US, Canada, UK, and Northern Ireland exploits ConnectWise ScreenConnect vulnerabilities. The attack chain begins with a spoofed email containing a malicious .cmd attachment, which executes silently, escalates privileges, disables Windows SmartScreen, and removes the Mark-of-the-Web. It then installs a legitimate Remote Monitoring and Management tool, ScreenConnect, which is abused as a Remote Access Trojan for persistent command-and-control access. The campaign focuses on sectors with high-value data, including government, healthcare, and logistics. The attackers use various techniques to evade detection, including UAC bypass, registry modification, and silent MSI installation. The ScreenConnect client used has a revoked certificate, highlighting the importance of blocking vulnerable software versions and enforcing strict RMM allowlists.
Created at: 2026-02-12T10:39:02.464000
Updated at: 2026-02-12T21:50:13.127000
Employee Monitoring and SimpleHelp Software Abused in Ransomware Operations
Description: Threat actors have been observed exploiting Net Monitor for Employees Professional and SimpleHelp software in ransomware operations. These legitimate tools were used for remote access, command execution, and persistence. The attackers disguised Net Monitor as Microsoft OneDrive and configured SimpleHelp with cryptocurrency-related keyword triggers. In one case, the attack led to an attempted deployment of Crazy ransomware. The intrusions involved initial access through compromised VPN accounts, followed by the installation of these tools for remote control and monitoring. The shared infrastructure and tactics suggest a single threat actor or group behind these activities, with objectives including cryptocurrency theft and ransomware deployment.
Created at: 2026-02-12T10:39:00.609000
Updated at: 2026-02-12T21:48:11.976000
