LATEST THREAT INTELLIGENCE.
Infrastructure of Interest: Medium Confidence Detection
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:39:42.586000
Updated at: 2025-11-24T15:20:33.561000
Infrastructure of Interest: Medium Confidence Command And Control
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with command and control (C2) infrastructure, facilitating malware communication, data exfiltration, and persistent threat actor operations. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:29:37.542000
Updated at: 2025-11-24T15:20:00.069000
Kimsuky's Ongoing Evolution of KimJongRAT and Expanding Threats
Description: This analysis examines the latest attack flow of the KimJongRAT variant, attributed to the North Korean threat actor Kimsuky. The malware has evolved to include both PE-based and PowerShell-based attack chains, which have been merged into a single workflow. The attackers use phishing emails for initial access, leveraging GitHub and Google Drive for malware distribution. The malware exfiltrates sensitive data including browser credentials, system information, and keystrokes. Additional activities by the same actor include credential theft through phishing sites and spear-phishing campaigns targeting South Korean users. The analysis provides evidence supporting the attribution to Kimsuky and highlights the ongoing development of variants and infrastructure, indicating successful attacks.
Created at: 2025-11-24T11:59:25.569000
Updated at: 2025-11-24T12:21:58.769000
Brazilian Campaign: Spreading the Malware via WhatsApp
Description: A massive phishing campaign targeting Brazil is spreading malware through WhatsApp Web using an open-source automation script and loading a banking trojan into memory. The attack begins with a phishing email containing a malicious VBS script that downloads and executes an MSI file and another VBS file. The second VBS installs Python and Selenium, which are used to inject malicious JavaScript into WhatsApp Web. This allows the malware to send itself to the victim's contacts. The MSI file drops an AutoIt script that monitors for Brazilian banking and cryptocurrency-related windows, then loads an encrypted payload into memory to avoid detection. The payload targets specific Brazilian financial institutions and cryptocurrency wallets.
Created at: 2025-11-24T12:02:31.899000
Updated at: 2025-11-24T12:15:53.772000
APT35 Internal Leak of Hacking Campaigns Against Lebanon, Kuwait, Turkey, Saudi Arabia, Korea, and Domestic Iranian Targets
Description: An internal leak from APT35 (Charming Kitten) reveals a sophisticated, state-directed cyber-intelligence operation targeting diplomatic, government, and corporate networks in the Middle East and Asia. The documents expose a bureaucratic structure with defined workflows, performance metrics, and specialized teams for exploit development, credential theft, and phishing campaigns. The group's focus on Exchange servers, use of ProxyShell exploits, and persistent mailbox monitoring demonstrate a strategic emphasis on long-term intelligence collection. The leak provides unprecedented insight into Iran's cyber capabilities, showing a mature apparatus that blends technical prowess with military-style oversight.
Created at: 2025-11-22T13:38:18.945000
Updated at: 2025-11-24T09:23:28.404000
Jewelbug: Chinese APT Group Widens Reach to Russia
Description: A Chinese APT group named Jewelbug has expanded its operations to target organizations in South America, South Asia, Taiwan, and Russia. The group's recent intrusion into a Russian IT service provider lasted for five months in 2025, potentially aiming for a supply chain attack. Jewelbug has deployed new backdoors, including one leveraging Microsoft Graph API and OneDrive for command and control. The group's tactics include using legitimate tools, DLL sideloading, and the bring-your-own-vulnerable-driver technique. Notably, Jewelbug's targeting of Russian organizations marks a shift in Chinese cyber operations, previously considered to be allied with Russia.
Created at: 2025-10-24T09:16:32.289000
Updated at: 2025-11-23T09:02:17.484000
Unpacking NetSupport RAT Loaders Delivered via ClickFix
Description: eSentire's Threat Response Unit observed multiple threat groups utilizing NetSupport Manager for malicious purposes throughout 2025. These groups have shifted from Fake Updates to ClickFix as their primary delivery method. The attack methodology involves social engineering victims to execute malicious commands in the Windows Run Prompt, leading to NetSupport extraction and execution. Three distinct threat groups were identified, each using different loaders and infrastructure. The groups are designated by their licensee names: EVALUSION, FSHGDREE32/SGI, and XMLCTL. The analysis includes details on the PowerShell/JSON-based loader, MSI-based loader, and NetSupport PCAP analysis. An unpacking utility and YARA rule are provided to aid researchers in detecting and analyzing NetSupport variants.
Created at: 2025-10-24T04:30:26.227000
Updated at: 2025-11-23T04:04:55.572000
Gotta fly: Lazarus targets the UAV sector
Description: ESET researchers have uncovered a new instance of Operation DreamJob, a campaign attributed to the North Korea-aligned Lazarus group, targeting European defense companies involved in UAV technology. The attacks align with North Korea's efforts to enhance its drone program, likely aiming to steal proprietary information and manufacturing know-how. The campaign uses social engineering tactics, trojanized open-source projects, and deploys the ScoringMathTea RAT. The attackers' toolset includes various droppers, loaders, and downloaders, with a focus on UAV-related targets. This activity highlights the ongoing threat posed by Lazarus and North Korea's interest in advancing its drone capabilities through cyberespionage.
Created at: 2025-10-23T13:51:03.909000
Updated at: 2025-11-22T13:02:55.206000
Dissecting YouTube's Malware Distribution Network
Description: Check Point Research uncovered a sophisticated malware distribution campaign operating on YouTube, dubbed the YouTube Ghost Network. This network utilizes over 3,000 malicious videos to spread malware, primarily targeting users seeking game cheats and pirated software. The operation involves compromised accounts with specific roles: video uploaders, community posters, and interaction simulators. The network has been active since 2021, with a significant increase in activity in 2025. It mainly distributes infostealer malware, with Lumma and Rhadamanthys being prevalent. The campaign employs various tactics to evade detection, including password-protected archives and frequent updates to payloads and C2 infrastructure. This research highlights the evolving nature of malware distribution methods and the need for enhanced cybersecurity measures.
Created at: 2025-10-23T13:51:01.754000
Updated at: 2025-11-22T13:02:55.206000
Agenda Ransomware Deploys Linux Variant on Windows Systems Through Remote Management Tools and BYOVD Techniques
Description: Agenda ransomware group, also known as Qilin, has been deploying a Linux-based ransomware binary on Windows hosts using legitimate remote management and file transfer tools. This cross-platform execution technique bypasses Windows-centric detections and security solutions. The attack chain includes the use of BYOVD for defense evasion, deployment of multiple SOCKS proxy instances for C&C traffic obfuscation, and targeted theft of backup credentials. Agenda has affected 591 victims across 58 countries since January 2025, primarily targeting organizations in developed markets and high-value industries. The group's sophisticated approach combines legitimate tools, cross-platform execution, and strategic targeting of backup infrastructure, making detection significantly more challenging for organizations.
Created at: 2025-10-23T13:51:01.240000
Updated at: 2025-11-22T13:02:55.206000
