LATEST THREAT INTELLIGENCE.
Evasive SideWinder APT Campaign Detected
Description: A sophisticated espionage campaign targeting Indian entities has been identified, masquerading as the Income Tax Department of India. The activity is associated with the SideWinder APT group, which has evolved its toolkit to evade detection by mimicking Chinese enterprise software. The campaign uses DLL side-loading techniques with legitimate Microsoft Defender binaries to bypass EDR, and utilizes public cloud storage and URL shorteners to evade reputation-based detections. The threat actors employ geofencing behavior, focusing on systems in South Asian timezones. The attack chain includes phishing emails, fraudulent websites, and malicious payloads delivered through file-sharing services. The final stage involves a resident agent that beacons to a command-and-control server, mimicking Chinese endpoint tool protocols.
Created at: 2025-12-20T17:19:05.570000
Updated at: 2026-01-19T17:03:32.999000
Infrastructure of Interest: Medium Confidence Detection
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:39:42.586000
Updated at: 2026-01-19T16:09:42.277000
Infrastructure of Interest: Medium Confidence Command And Control
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with command and control (C2) infrastructure, facilitating malware communication, data exfiltration, and persistent threat actor operations. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:29:37.542000
Updated at: 2026-01-19T16:08:43.968000
VoidLink threat analysis: C2-compiled kernel rootkits discovered
Description: The Sysdig Threat Research Team analyzed VoidLink, a sophisticated Linux malware framework targeting cloud environments. Key findings include the first documented Serverside Rootkit Compilation, Chinese development with AI assistance, adaptive detection evasion, and use of the Zig programming language. VoidLink employs a multi-stage loader architecture, fileless execution techniques, and kernel-level stealth mechanisms. It features three control channels, including a covert ICMP channel, and specialized functionality for cloud and container environments. Despite its sophistication, VoidLink can be detected using runtime monitoring tools. The malware shows indicators of Chinese-speaking developers with significant kernel expertise, likely using AI-assisted development methods.
Created at: 2026-01-19T09:35:38.065000
Updated at: 2026-01-19T09:51:15.719000
Analyzing the MonetaStealer macOS Threat
Description: Security researchers discovered a suspicious Mach-O binary masquerading as a Windows .exe file, named MonetaStealer. This PyInstaller-compiled malware targets macOS systems and is believed to be in early development. MonetaStealer focuses on stealing Chrome browser data, cryptocurrency wallet information, Wi-Fi credentials, keychain items, financial documents, SSH private keys, and clipboard content. It uses deceptive naming conventions and targets specific file paths to gather sensitive information. The malware employs various techniques to extract data, including querying SQLite databases, using regex patterns, and executing system commands. Exfiltration is attempted via Telegram, although researchers did not observe successful file uploads. A Windows variant was also identified but contained non-functional code. The threat highlights the ongoing prevalence of stealers in the macOS landscape.
Created at: 2026-01-19T09:41:58.778000
Updated at: 2026-01-19T09:49:26.061000
New Remcos Campaign Distributed Through Fake Shipping Document
Description: A new phishing campaign has been discovered that delivers a fileless variant of the Remcos RAT. The attack begins with an email impersonating a Vietnamese shipping company, luring victims to open a malicious Word document. This document retrieves a remote RTF file, exploits a vulnerability, and executes VBScript and PowerShell code, resulting in the in-memory loading of a .NET module. The module acts as both a loader and persistence mechanism for the Remcos payload. The Remcos variant (version 7.0.4 Pro) is downloaded into memory and injected into a legitimate system process via process hollowing. It offers extensive remote control capabilities across six categories, including system management, surveillance, networking, communication, and agent control. The analysis details the infection chain, payload structure, and Remcos features, providing insights into this sophisticated attack methodology.
Created at: 2026-01-19T09:40:15.573000
Updated at: 2026-01-19T09:48:37.669000
Targeted espionage leveraging geopolitical themes
Description: A targeted malware campaign against U.S. government entities has been observed, utilizing a politically themed ZIP archive containing a loader executable and a malicious DLL. The DLL functions as a backdoor named LOTUSLITE, communicating with a hard-coded command-and-control server. The campaign demonstrates minimal technical sophistication but shows deliberate victim selection and use of geopolitical lures. Attribution analysis suggests moderate-confidence overlap with Mustang Panda tradecraft, including delivery style, loader-DLL separation, and infrastructure usage. The backdoor supports basic remote tasking and data exfiltration, indicating an espionage-focused capability. This activity reflects a trend of targeted spear phishing using geopolitical themes and reliable execution techniques like DLL sideloading.
Created at: 2026-01-15T12:03:35.838000
Updated at: 2026-01-19T09:27:25.862000
Dissecting CrashFix: A New Toy
Description: KongTuke, a threat actor tracked since 2025, has launched a new campaign using a malicious browser extension called NexShield that impersonates uBlock Origin Lite. The extension causes browser crashes and displays fake security warnings to trick users into executing malicious commands. The campaign targets both home and corporate users, with domain-joined machines receiving a more sophisticated Python-based RAT named ModeloRAT. The attack chain involves multiple stages of obfuscation, anti-analysis techniques, and a Domain Generation Algorithm (DGA) for C2 communication. KongTuke employs extensive fingerprinting to avoid detection in analysis environments. The campaign demonstrates evolving social engineering tactics and a focus on infiltrating enterprise networks for potential lateral movement and data exfiltration.
Created at: 2026-01-17T13:17:09.602000
Updated at: 2026-01-19T09:24:59.356000
PDFSIDER Malware - Exploitation of DLL Side-Loading for AV and EDR Evasion
Description: PDFSIDER is a newly identified malware variant that utilizes DLL side-loading to deploy a covert backdoor with encrypted command-and-control capabilities. It exploits vulnerabilities in legitimate software like PDF24 Creator to bypass endpoint detection mechanisms. The malware operates primarily in memory, minimizing disk artifacts, and employs advanced anti-VM technology to evade sandboxes and analysis labs. PDFSIDER features a robust cryptographic implementation using the Botan library for secure communications. It gathers system information and provides attackers with an interactive, hidden command shell for remote execution. The malware's characteristics align with APT tradecraft, suggesting its use in cyber-espionage operations. Distribution occurs through spear-phishing emails containing ZIP archives with legitimate-looking executables.
Created at: 2026-01-18T18:38:18.515000
Updated at: 2026-01-19T09:21:54.878000
Operation Poseidon: Spear-Phishing Attacks Abusing Google Ads Redirection Mechanisms
Description: Operation Poseidon is a sophisticated spear-phishing campaign attributed to the Konni APT group. The attackers exploit Google Ads redirection mechanisms to bypass security filters and user awareness. They compromise poorly secured WordPress sites for malware distribution and C2 infrastructure. The campaign uses social engineering tactics, impersonating North Korean human rights organizations and financial institutions. Malware is delivered through LNK files disguised as PDF documents, executing AutoIt scripts that load EndRAT variants. The attackers employ advanced evasion techniques, including email content padding and abuse of legitimate advertising URLs. The campaign demonstrates evolving tactics and infrastructure reuse consistent with previous Konni activities.
Created at: 2026-01-18T18:38:17.948000
Updated at: 2026-01-19T09:19:57.246000
