LATEST THREAT INTELLIGENCE.
Infrastructure of Interest: Medium Confidence Detection
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:39:42.586000
Updated at: 2025-11-12T11:13:27.123000
Infrastructure of Interest: Medium Confidence FastFlux
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous DNS patterns, behavioral analysis of rapid IP rotation, and cross-referenced intelligence from global sinkhole data and network telemetry. The IOCs included in this pulse are associated with Fastflux networks, characterized by constantly changing IP addresses and DNS records to evade detection while maintaining resilient malicious infrastructure for phishing, malware delivery, or C2 operations. Use this data to enhance DNS-based detection rules, identify flux parent domains, and disrupt threat actor network resilience. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:34:03.778000
Updated at: 2025-11-12T11:12:35.355000
Infrastructure of Interest: Medium Confidence InfoStealer
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with infostealer malware, designed to harvest sensitive data such as credentials, cookies, and financial information from compromised systems. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations involving data theft. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:31:55.617000
Updated at: 2025-11-12T11:12:33.081000
Analyzing the Link Between Two Evolving Brazilian Banking Trojans
Description: This intelligence report examines the connection between two Brazilian banking trojans, Maverick and Coyote. The malware spreads through WhatsApp, using a multi-stage attack that begins with a malicious LNK file. Both trojans share similarities in their infection methods, targeting Brazilian users and banks. The attack chain involves obfuscated PowerShell commands, downloading additional payloads from command and control servers. The malware employs anti-analysis techniques and targets specific browsers. Persistence is achieved through a batch file in the startup folder. The report provides technical details, including code samples and infection chain analysis, as well as indicators of compromise for the identified malware campaign.
Created at: 2025-11-12T09:45:13.946000
Updated at: 2025-11-12T09:47:38.934000
Thousands of Fake Hotel Domains Used in Massive Phishing Campaign
Description: A Russian-speaking threat actor has orchestrated a large-scale phishing campaign targeting travelers by registering over 4,300 domain names since early 2025. The sophisticated operation impersonates major travel brands like Airbnb and Booking.com to steal payment card data. The phishing sites use customized pages based on unique URL strings, fake CAPTCHA systems, and multilingual translations to appear legitimate. The campaign employs malicious emails with links that redirect through multiple sites before reaching the phishing page. The attacker consistently registers new domains, focusing on specific registrars and using naming conventions that incorporate travel-related terms and hotel names. The phishing kit includes real-time data collection and Russian language elements in the source code.
Created at: 2025-11-11T18:26:17.167000
Updated at: 2025-11-11T18:31:27.495000
Infrastructure of Interest: Medium Confidence Command And Control
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with command and control (C2) infrastructure, facilitating malware communication, data exfiltration, and persistent threat actor operations. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:29:37.542000
Updated at: 2025-11-11T17:41:27.053000
Infrastructure of Interest: Medium Confidence Phishing
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with phishing campaigns, targeting credential theft and fraudulent resource access. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:20:01.253000
Updated at: 2025-11-11T17:41:26.012000
Tracking FileFix, Shadow Vector, and SideWinder
Description: This intelligence report details collaborative research between Acronis Threat Research Unit and VirusTotal on three emerging cyber threats. FileFix, a variant of ClickFix, uses malicious websites to trick victims into running commands copied to their clipboard. Shadow Vector targets Colombian users with SVG images disguised as court summonses containing links to malicious payloads. SideWinder, a South Asian threat actor, continues to exploit old vulnerabilities in document-based attacks on government and defense entities. The report highlights the use of VirusTotal's platform for threat hunting, including content searching, metadata filtering, and YARA rule creation to track these campaigns and uncover their tactics and infrastructure.
Created at: 2025-11-10T16:26:04.317000
Updated at: 2025-11-11T09:54:42.940000
Unauthenticated Remote Access via Triofox Vulnerability CVE-2025-12480
Description: A critical vulnerability in Gladinet's Triofox file-sharing platform, CVE-2025-12480, allowed unauthenticated access to configuration pages, enabling arbitrary payload execution. Threat actor UNC6485 exploited this flaw as early as August 24, 2025, bypassing authentication and chaining it with anti-virus feature abuse for code execution. The vulnerability affected Triofox version 16.4.10317.56372 and was patched in version 16.7.10368.56560. Attackers created admin accounts, deployed remote access tools, conducted reconnaissance, and attempted privilege escalation. They used Zoho UEMS, Zoho Assist, and Anydesk for remote access, and set up encrypted tunnels for C2 communication. The exploit chain involved HTTP host header manipulation and abuse of the built-in anti-virus feature to execute malicious scripts.
Created at: 2025-11-10T21:58:59.342000
Updated at: 2025-11-11T09:52:36.091000
Fantasy Hub: Another Russian Based RAT as Malware-as-a-Service
Description: A new Android Remote Access Trojan called Fantasy Hub has been identified, sold on Russian-language channels as a Malware-as-a-Service (MaaS) subscription. The malware offers extensive device control and espionage capabilities, including SMS exfiltration, contact theft, call log access, and bulk image and video theft. It can intercept, reply to, and delete incoming notifications. The spyware is promoted online with detailed capabilities and instructions for creating fake Google Play pages to evade detection. Fantasy Hub targets financial institutions, deploying fake windows to obtain banking credentials. The MaaS model includes seller documentation, videos, and a bot-driven subscription system, making it accessible to novice attackers.
Created at: 2025-11-10T11:34:25.413000
Updated at: 2025-11-10T11:36:09.510000
