LATEST THREAT INTELLIGENCE.
The Shadow Campaigns: Uncovering Global Espionage
Description: This investigation reveals a new cyberespionage group tracked as TGR-STA-1030, believed to be a state-aligned actor operating from Asia. Over the past year, the group has compromised government and critical infrastructure organizations in 37 countries, targeting ministries, law enforcement agencies, and departments related to economic, trade, and diplomatic functions. The group employs sophisticated phishing and exploitation techniques, leveraging various tools and infrastructure to maintain persistent access. Their activities span across the Americas, Europe, Asia, Oceania, and Africa, with a focus on countries exploring certain economic partnerships. The group's operations often coincide with significant geopolitical events and economic interests, particularly in sectors like rare earth minerals and international trade agreements.
Created at: 2026-02-05T20:20:38.891000
Updated at: 2026-03-07T20:01:38.552000
Knife Cutting the Edge: Disclosing a China-nexus gateway-monitoring AitM framework
Description: Cisco Talos uncovered 'DKnife', a sophisticated gateway-monitoring and adversary-in-the-middle (AitM) framework comprising seven Linux-based implants. Used since 2019, DKnife performs deep-packet inspection, traffic manipulation, and malware delivery via routers and edge devices. It targets various devices, including PCs, mobile devices, and IoT, delivering ShadowPad and DarkNimbus backdoors. The framework primarily targets Chinese-speaking users, with evidence suggesting China-nexus threat actors as operators. DKnife's capabilities include DNS hijacking, Android application update hijacking, Windows binary hijacking, anti-virus traffic disruption, and user activity monitoring. A link to the WizardNet campaign was also discovered, indicating a shared development or operational lineage.
Created at: 2026-02-05T20:16:27.292000
Updated at: 2026-03-07T20:01:38.552000
New Clickfix variant 'CrashFix' deploying Python Remote Access Trojan
Description: A new evolution in the ClickFix campaign, dubbed CrashFix, has been identified. This variant deliberately crashes victims' browsers and uses social engineering to lure users into executing malicious commands. The attack begins with a malicious ad redirecting users to install a harmful browser extension impersonating a legitimate ad blocker. The payload causes delayed browser issues and presents a fake security warning. It misuses the Windows utility finger.exe to execute malicious commands and downloads additional payloads, including a Python-based Remote Access Trojan (RAT). The RAT, named ModeloRAT, establishes persistence and performs extensive reconnaissance. The campaign targets domain-joined systems and employs multiple obfuscation techniques to evade detection.
Created at: 2026-02-05T20:01:03.061000
Updated at: 2026-03-07T20:01:38.552000
Amaranth-Dragon: Weaponizing CVE-2025-8088 for Targeted Espionage in Southeast Asia
Description: A Chinese threat actor, Amaranth-Dragon, has been conducting highly targeted cyber-espionage campaigns against government and law enforcement agencies in Southeast Asia throughout 2025. The group swiftly exploited the CVE-2025-8088 vulnerability in WinRAR to deliver malicious payloads, including a custom loader and the Havoc C2 Framework. Their operations demonstrate sophisticated tactics, including geo-restricted command and control servers, use of legitimate hosting services, and a new Telegram-based remote access trojan. The campaigns coincide with significant local geopolitical events, increasing the likelihood of successful compromises. Technical analysis reveals similarities with APT-41, suggesting a possible connection or shared resources between the groups.
Created at: 2026-02-04T15:57:23.661000
Updated at: 2026-03-06T15:01:37.981000
AI-assisted cloud intrusion achieves admin access in 8 minutes
Description: An AWS environment was targeted in a sophisticated attack, with the threat actor gaining administrative privileges in under 10 minutes. The operation showed signs of leveraging large language models for automation and decision-making. Initial access was obtained through credentials found in public S3 buckets, followed by rapid privilege escalation via Lambda function code injection. The attacker moved laterally across 19 AWS principals, abused Amazon Bedrock for LLMjacking, and launched GPU instances for potential model training. The attack involved extensive reconnaissance, data exfiltration, and attempts to establish persistence. Notable techniques included IP rotation, role chaining, and the use of AI-generated code.
Created at: 2026-02-04T15:57:22.741000
Updated at: 2026-03-06T15:01:37.981000
New year, new sector: Targeting India's startup ecosystem
Description: Transparent Tribe, also known as APT36, has expanded its targeting to include India's startup ecosystem, particularly those in the cybersecurity domain. The group is using startup-oriented themed lure material delivered via ISO container-based files to deploy Crimson RAT. This campaign deviates from their typical government and defense targets, suggesting a shift in strategy towards companies providing open-source intelligence services and collaborating with law enforcement agencies. The attack chain involves spear-phishing emails, malicious LNK files, and batch scripts to execute the Crimson RAT payload. The malware employs extensive obfuscation techniques and uses a custom TCP protocol for command and control communications. This activity demonstrates the group's adaptation of proven tooling for new victim profiles while maintaining its core behavioral tactics, techniques, and procedures.
Created at: 2026-02-04T15:57:21.862000
Updated at: 2026-03-06T15:01:37.981000
Compromised Routers, DNS, and a TDS Hidden in Aeza Networks
Description: A shadow DNS network and HTTP-based traffic distribution system (TDS) hosted in Aeza International, a sanctioned bulletproof hosting company, has been discovered. The system compromises routers, altering their DNS settings to use shadow resolvers. These resolvers selectively modify responses, directing users to malicious content. The TDS incorporates a clever DNS trick to evade detection by security groups. The system, operational since mid-2022, appears to be run by a financially motivated actor in affiliate marketing. It has the potential to interfere with devices on the network, alter DNS records, and conduct adversary-in-the-middle operations. The threat actor's ability to control DNS resolution poses significant risks beyond delivering unwanted advertising.
Created at: 2026-02-04T15:26:43.015000
Updated at: 2026-03-06T15:01:37.981000
Anatomy of a Russian Crypto Drainer Operation
Description: A major cybercriminal operation called Rublevka Team has generated over $10 million through cryptocurrency theft since 2023. The group employs a network of social engineering specialists who direct victims to malicious pages impersonating legitimate crypto services. Using custom JavaScript scripts, they trick users into connecting wallets and authorizing fraudulent transactions. Rublevka Team's infrastructure is fully automated, offering affiliates access to tools for launching high-volume scams. Their model poses a growing threat to cryptocurrency platforms and brands, with potential for reputational and legal risks. The group's agility in rotating domains and targeting lower-cost chains like Solana undermines traditional fraud detection efforts.
Created at: 2026-02-04T15:24:26.608000
Updated at: 2026-03-06T15:01:37.981000
Danger Bulletin: Cyberattacks Against Ukraine and EU Countries Using CVE-2026-21509 Exploit
Description: UAC-0001 (APT28) has launched cyberattacks against Ukraine and EU countries exploiting the CVE-2026-21509 vulnerability in Microsoft Office products. The threat actor created malicious DOC files targeting government bodies and EU organizations. The attack chain involves WebDAV connections, COM hijacking, and the use of the COVENANT framework, which utilizes Filen cloud storage for command and control. The campaign began shortly after the vulnerability's disclosure, with multiple documents discovered containing similar exploits. The attackers employ sophisticated techniques to evade detection and maintain persistence, including disguising malicious files as legitimate Windows components and creating scheduled tasks.
Created at: 2026-02-04T14:15:57.152000
Updated at: 2026-03-06T14:04:21.746000
341 Malicious Clawed Skills Found by the Bot They Were Targeting
Description: A massive malware campaign dubbed ClawHavoc has been uncovered in the ClawHub marketplace, targeting OpenClaw bots and their users. An AI bot named Alex, working with security researcher Oren Yomtov, discovered 341 malicious skills, including 335 from a single campaign. The malware, identified as Atomic Stealer (AMOS), uses sophisticated techniques to evade detection and steal sensitive data. The attack exploits users' trust in AI assistants, potentially compromising personal and financial information. In response, a new tool called Clawdex has been developed to help bots and users scan for malicious skills before installation.
Created at: 2026-02-04T12:44:15.808000
Updated at: 2026-03-06T12:03:42.273000
