LATEST THREAT INTELLIGENCE.
Yet Another Leak of China's Contractor-Driven Cyber-Espionage Ecosystem
Description: The Knownsec leak exposes a state-aligned Chinese cyber contractor deeply integrated with national security and intelligence operations. Internal documents reveal Knownsec's role in developing offensive cyber capabilities, large-scale reconnaissance systems, and data fusion platforms for public security bureaus and military clients. Key products include ZoomEye for global IP scanning, GhostX for exploitation, and Passive Radar for covert network mapping. The leak provides unprecedented insight into Knownsec's organizational structure, personnel, and strategic targeting of foreign critical infrastructure, particularly in Taiwan and other Asian countries. It demonstrates how commercial entities like Knownsec function as core components of China's cyber-espionage ecosystem, blending state objectives with industrial-scale development of intrusion and surveillance technologies.
Created at: 2026-01-10T13:29:36.119000
Updated at: 2026-02-09T13:05:03.614000
Knife Cutting the Edge: Disclosing a China-nexus gateway-monitoring AitM framework
Description: Cisco Talos uncovered 'DKnife', a sophisticated gateway-monitoring and adversary-in-the-middle (AitM) framework comprising seven Linux-based implants. Used since 2019, DKnife performs deep-packet inspection, traffic manipulation, and malware delivery via routers and edge devices. It targets various devices, including PCs, mobile devices, and IoT, delivering ShadowPad and DarkNimbus backdoors. The framework primarily targets Chinese-speaking users, with evidence suggesting China-nexus threat actors as operators. DKnife's capabilities include DNS hijacking, Android application update hijacking, Windows binary hijacking, anti-virus traffic disruption, and user activity monitoring. A link to the WizardNet campaign was also discovered, indicating a shared development or operational lineage.
Created at: 2026-02-05T20:16:27.292000
Updated at: 2026-02-09T12:15:04.704000
Danger Bulletin: Cyberattacks Against Ukraine and EU Countries Using CVE-2026-21509 Exploit
Description: UAC-0001 (APT28) has launched cyberattacks against Ukraine and EU countries exploiting the CVE-2026-21509 vulnerability in Microsoft Office products. The threat actor created malicious DOC files targeting government bodies and EU organizations. The attack chain involves WebDAV connections, COM hijacking, and the use of the COVENANT framework, which utilizes Filen cloud storage for command and control. The campaign began shortly after the vulnerability's disclosure, with multiple documents discovered containing similar exploits. The attackers employ sophisticated techniques to evade detection and maintain persistence, including disguising malicious files as legitimate Windows components and creating scheduled tasks.
Created at: 2026-02-04T14:15:57.152000
Updated at: 2026-02-09T12:07:44.149000
A security alert regarding APT-C-28 (ScarCruft) using MiradorShell to launch a cyberattack.
Description: A recent investigation reveals that the APT-C-28 (ScarCruft) group has expanded its targets to include the cryptocurrency industry. The group employs sophisticated phishing tactics, using LNK files disguised as PDFs to lure victims with investment proposals ranging from $1-3 million. Upon execution, a multi-stage payload deployment occurs, ultimately installing MiradorShell v2.0 to gain system control. The attack chain involves file downloads, decryption, and the creation of scheduled tasks for persistence. MiradorShell, an AutoIt-based backdoor, connects to a command and control server, offering reverse shell capabilities, file management, remote program execution, and victim fingerprinting. The malware employs various evasion techniques, including inline library files and direct API calls.
Created at: 2026-02-09T10:18:26.280000
Updated at: 2026-02-09T10:36:13.709000
Tenant from Hell: Prometei's Unauthorized Stay in Your Windows Server
Description: eSentire's Threat Response Unit detected Prometei botnet activity on a customer's Windows Server in the Construction industry. Prometei, a Russian-origin botnet active since 2016, features remote control, credential harvesting, crypto-mining, lateral movement, and C2 communication over clearweb and TOR. The malware uses complex encryption, including rolling XOR and RC4, for payload decryption and C2 communications. It establishes persistence as a Windows service, creates firewall exceptions, and downloads additional modules for specialized functions like credential theft and TOR routing. The attack likely began with compromised RDP credentials, followed by the execution of a malicious command to download and run the Prometei payload.
Created at: 2026-02-09T10:17:26.978000
Updated at: 2026-02-09T10:28:17.519000
Active Exploitation of SolarWinds Web Help Desk (CVE-2025-26399)
Description: Threat actors are actively exploiting a vulnerability in SolarWinds Web Help Desk, targeting organizations using versions prior to 12.8.7 HF1. The attack chain involves deploying Zoho ManageEngine RMM agents, Velociraptor for command and control, and Cloudflare tunnels for persistence. Attackers use encoded PowerShell commands, disable Windows Defender and Firewall, and implement a C2 failover mechanism. They also utilize Elastic Cloud for data exfiltration and QEMU for SSH backdoor persistence. The earliest known instance of this persistence mechanism was observed on January 16, 2026. Organizations are advised to update their SolarWinds Web Help Desk, restrict administrative interface access, reset credentials, and review hosts for unauthorized tools and suspicious activities.
Created at: 2026-02-09T06:01:02.461000
Updated at: 2026-02-09T09:39:04.120000
Infrastructure of Interest: Medium Confidence Detection
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:39:42.586000
Updated at: 2026-02-09T09:35:12.883000
Infrastructure of Interest: Medium Confidence Command And Control
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with command and control (C2) infrastructure, facilitating malware communication, data exfiltration, and persistent threat actor operations. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:29:37.542000
Updated at: 2026-02-09T09:33:34.210000
CNCERT: Risk Warning Regarding the "Black Cat" Gang's Use of Search Engines to Spread Counterfeit Notepad++ Download Remote Control Backdoors
Description: CNCERT and Microstep Online jointly detected a cyberattack campaign launched by the "Black Cat" criminal gang. This gang uses search engine SEO (Search Engine Optimization) techniques to push meticulously crafted phishing websites to the top of search engine keyword results. After visiting these high-ranking phishing pages, users are lured by carefully designed download pages, attempting to download software installation packages bundled with malicious programs. Once installed, the program implants a backdoor Trojan without the user's knowledge, leading to the theft of sensitive data from their host computer by attackers.
Created at: 2026-01-09T10:24:39.419000
Updated at: 2026-02-08T10:02:23.915000
Threat Research: PHALT#BLYX: Fake BSODs and Trusted Build Tools
Description: The PHALT#BLYX campaign targets the hospitality sector using sophisticated social engineering and advanced techniques. It begins with a phishing email mimicking a Booking.com reservation cancellation, leading victims to a fake website. Users are tricked into executing malicious PowerShell commands through a fake BSOD and click-fix social engineering tactic. The malware leverages MSBuild.exe to bypass defenses and deploys a customized DCRat payload. It establishes persistence, disables Windows Defender, and uses process hollowing to inject into legitimate processes. The campaign shows evolution from earlier, simpler methods and demonstrates a deep understanding of modern endpoint protection. Attribution points to Russian-speaking threat actors, given the presence of Cyrillic debug strings and the use of DCRat, a popular tool in Russian underground forums.
Created at: 2026-01-09T09:47:05.226000
Updated at: 2026-02-08T09:02:20.038000
