LATEST THREAT INTELLIGENCE.
Infrastructure of Interest: Medium Confidence Detection
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:39:42.586000
Updated at: 2026-01-21T18:26:10.350000
Infrastructure of Interest: Medium Confidence FastFlux
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous DNS patterns, behavioral analysis of rapid IP rotation, and cross-referenced intelligence from global sinkhole data and network telemetry. The IOCs included in this pulse are associated with Fastflux networks, characterized by constantly changing IP addresses and DNS records to evade detection while maintaining resilient malicious infrastructure for phishing, malware delivery, or C2 operations. Use this data to enhance DNS-based detection rules, identify flux parent domains, and disrupt threat actor network resilience. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:34:03.778000
Updated at: 2026-01-21T18:25:09.376000
Indian Income Tax-Themed Phishing Campaign Targets Local Businesses
Description: A sophisticated phishing campaign impersonating the Indian Income Tax Department has been targeting local businesses. The attack begins with a spear-phishing email containing a PDF attachment that directs victims to a fake compliance portal. This triggers the download of a malicious ZIP file, which initiates a multi-stage infection chain. The payload, delivered through NSIS installers, deploys a Remote Access Trojan (RAT) with persistence capabilities. The malware harvests system information and establishes communication with command and control servers. Technical indicators suggest a China-linked development environment. This campaign demonstrates how seemingly simple tax-themed phishing can lead to complete device compromise, emphasizing the need for heightened security awareness.
Created at: 2025-12-22T17:06:59.268000
Updated at: 2026-01-21T17:03:45.685000
UNG0801: Tracking Threat Clusters obsessed with AV Icon Spoofing targeting Israel
Description: An analysis of threat clusters, dubbed UNG0801 or Operation IconCat, targeting Israeli organizations. The actors use socially engineered phishing lures in Hebrew, exploiting antivirus icon spoofing from well-known vendors like SentinelOne and Check Point. Two distinct infection chains were identified, both utilizing AV-themed decoys dropped by malicious Word and PDF documents. The first campaign deploys a PyInstaller-based implant called PYTRIC, capable of system-wide wipes and backup deletion. The second campaign uses a Rust-based implant named RUSTRIC, focusing on antivirus enumeration and system information gathering. Both campaigns share similar tactics but differ in their ultimate objectives, with the first aimed at destruction and the second at espionage.
Created at: 2025-12-22T17:06:57.658000
Updated at: 2026-01-21T17:03:45.685000
The BlueNoroff cryptocurrency hunt is still on
Description: BlueNoroff is the name of an APT group coined by Kaspersky researchers while investigating the notorious attack on Bangladesh’s Central Bank back in 2016. A mysterious group with links to Lazarus and an unusual financial motivation for an APT. The group seems to work more like a unit within a larger formation of Lazarus attackers, with the ability to tap into its vast resources: be it malware implants, exploits, or infrastructure.
Created at: 2022-01-13T14:37:40.903000
Updated at: 2026-01-20T23:48:27.154000
Critical Privilege Escalation Vulnerability in Modular DS plugin affecting 40k+ Sites exploited in the wild
Description: A critical unauthenticated privilege escalation vulnerability has been discovered in the Modular DS WordPress plugin, affecting over 40,000 sites. The flaw allows attackers to bypass authentication and gain admin access. Exploitation attempts have been observed in the wild, with attackers creating unauthorized admin accounts. The vulnerability stems from flawed route handling and authentication mechanisms. Patchstack has issued mitigation rules and assigned CVE-2026-23550. The plugin developer has released version 2.6.0 to address the issue. Users are urged to update immediately. Additional exploit paths were later discovered, leading to the assignment of CVE-2026-23800. The vulnerability highlights the dangers of implicit trust in internal request paths when exposed to the public internet.
Created at: 2026-01-20T17:02:57.860000
Updated at: 2026-01-20T18:23:05.008000
Inside a Multi-Stage Windows Malware Campaign
Description: A sophisticated multi-stage malware campaign targeting Windows users in Russia has been identified. The attack chain begins with social engineering lures and progresses to a full system compromise, including security bypass, surveillance, and ransomware delivery. It abuses Defendnot to disable Microsoft Defender and uses modular hosting across cloud services. The attack employs various techniques such as PowerShell scripts, obfuscated VBScript, and COM object manipulation. It deploys Amnesia RAT for data theft and surveillance, Hakuna Matata ransomware for file encryption, and a WinLocker component for system lockout. The campaign demonstrates how full system compromise can be achieved without exploiting software vulnerabilities, instead relying on social engineering and abuse of legitimate Windows features.
Created at: 2026-01-20T17:50:42.390000
Updated at: 2026-01-20T18:17:19.720000
Infrastructure of Interest: Medium Confidence InfoStealer
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with infostealer malware, designed to harvest sensitive data such as credentials, cookies, and financial information from compromised systems. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations involving data theft. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:31:55.617000
Updated at: 2026-01-20T17:24:14.538000
Infrastructure of Interest: Medium Confidence Command And Control
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with command and control (C2) infrastructure, facilitating malware communication, data exfiltration, and persistent threat actor operations. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:29:37.542000
Updated at: 2026-01-20T17:24:11.370000
Infrastructure of Interest: Medium Confidence Phishing
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with phishing campaigns, targeting credential theft and fraudulent resource access. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:20:01.253000
Updated at: 2026-01-20T17:24:10.563000
