LATEST THREAT INTELLIGENCE.
Access granted: phishing with device code authorization for account takeover
Description: Multiple threat clusters, including state-aligned and financially-motivated actors, are utilizing phishing tools to trick users into granting access to Microsoft 365 accounts via OAuth device code authorization. This technique leads to account takeovers, data exfiltration, and further compromises. Threat actors are leveraging the OAuth 2.0 device authorization grant flow to gain unauthorized access by approving various applications. Campaigns often begin with an initial message containing a URL, which initiates an attack sequence using Microsoft's legitimate device authorization process. Tools like SquarePhish2 and Graphish are being used to facilitate these attacks. Both cybercriminal groups and state-aligned actors have adopted this technique, with Russia-aligned threat actors being particularly active.
Created at: 2025-12-18T13:28:15.638000
Updated at: 2025-12-18T15:44:46.244000
Infrastructure of Interest: Medium Confidence Phishing
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with phishing campaigns, targeting credential theft and fraudulent resource access. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:20:01.253000
Updated at: 2025-12-18T14:11:46.649000
Inside DPRK Operations: New Infrastructure Uncovered Across Global Campaigns
Description: North Korean state-sponsored threat actors, including Lazarus and Kimsuky, continue to conduct widespread hacking operations for intelligence gathering, financial gain, and access. The investigation uncovered previously unconnected operational assets, revealing active tool-staging servers, credential theft environments, FRP tunneling nodes, and certificate-linked infrastructure. Key findings include a new Linux variant of the Badcall backdoor, extensive credential harvesting toolkits in open directories, and widespread deployment of Fast Reverse Proxy (FRP) instances. The analysis highlights consistent operational patterns across DPRK campaigns, such as reusing infrastructure, deploying identical FRP configurations, and leveraging shared certificates, providing defenders with actionable intelligence to proactively track DPRK activity.
Created at: 2025-12-18T09:40:34.326000
Updated at: 2025-12-18T13:25:23.365000
Frontline Intelligence: Analysis of UNC1549 TTPs, Custom Tools, and Malware Targeting the Aerospace and Defense Ecosystem
Description: UNC1549, an Iranian-linked threat group, has been targeting aerospace, aviation, and defense industries since mid-2024. They employ sophisticated initial access techniques, including exploiting third-party relationships and targeted phishing. The group uses custom malware like TWOSTROKE, LIGHTRAIL, and DEEPROOT for persistence, and tools like DCSYNCER.SLICK and CRASHPAD for privilege escalation. UNC1549 demonstrates advanced lateral movement, reconnaissance, and defense evasion tactics. They extensively use SSH reverse tunnels and Azure infrastructure for command and control. The group's primary objective appears to be espionage, focusing on data collection and leveraging compromised organizations to target others in the same sector.
Created at: 2025-11-18T02:11:13.651000
Updated at: 2025-12-18T02:03:21.499000
GachiLoader: Defeating Node.js Malware with API Tracing
Description: A new malware distribution campaign utilizing compromised YouTube accounts to spread infostealers has been identified. The campaign employs GachiLoader, a heavily obfuscated Node.js loader, to deploy the Rhadamanthys infostealer. GachiLoader implements anti-analysis techniques and uses a novel PE injection method called Vectored Overloading. To aid analysis, researchers developed an open-source Node.js tracer tool. The campaign has affected over 100 videos with 220,000 views across 39 compromised accounts since December 2024. The malware evades detection, elevates privileges, and disables Windows Defender before retrieving its payload.
Created at: 2025-12-17T21:22:38.282000
Updated at: 2025-12-17T23:09:04.273000
NuGet malware targets crypto wallets, OAuth tokens
Description: ReversingLabs discovered malicious packages on NuGet targeting the crypto ecosystem. The campaign, starting in July 2025, involved 14 packages impersonating legitimate crypto-related tools. The malware aimed to steal crypto funds by redirecting transactions or exfiltrating secrets for wallet access. Techniques used to appear trustworthy included homoglyphs, version bumping, and inflating download counts. The packages were divided into three groups: wallet stealers, crypto-funds stealers, and Google Ads OAuth stealers. This campaign highlights the ongoing exploitation of trust in the software supply chain, potentially affecting entire projects and communities relying on compromised dependencies.
Created at: 2025-12-17T21:22:37.621000
Updated at: 2025-12-17T23:07:24.825000
BlueDelta’s Persistent Campaign Against UKR.NET
Description: Between June 2024 and April 2025, a sustained credential-harvesting campaign targeting UKR.NET users was identified, attributed to the Russian state-sponsored threat group BlueDelta. The group deployed multiple credential-harvesting pages themed as UKR.NET login portals, leveraging free web services and proxy tunneling platforms to collect user credentials. BlueDelta distributed PDF lures with embedded links to evade detection. The campaign demonstrates the group's adaptability and persistent focus on Ukrainian user credentials for intelligence purposes. Infrastructure changes, including the transition to ngrok and Serveo, reflect responses to takedown efforts. The activity highlights the GRU's continued interest in compromising Ukrainian credentials amid ongoing conflict.
Created at: 2025-12-17T20:07:25.299000
Updated at: 2025-12-17T23:05:11.438000
UAT-9686 actively targets Cisco Secure Email Gateway and Secure Email and Web Manager
Description: A Chinese-nexus advanced persistent threat actor, UAT-9686, is actively targeting Cisco AsyncOS Software for Secure Email Gateway and Secure Email and Web Manager. The campaign, ongoing since late November 2025, exploits non-standard configurations to execute system-level commands and deploy a persistent Python-based backdoor called AquaShell. Additional tools observed include AquaTunnel for reverse SSH tunneling, chisel for TCP/UDP tunneling, and AquaPurge for log clearing. The attackers can execute encoded commands in the system shell and create reverse connections to attacker-controlled servers. This sophisticated attack aligns with tactics used by other Chinese APT groups, raising concerns about potential widespread impact on email security infrastructure.
Created at: 2025-12-17T20:07:24.241000
Updated at: 2025-12-17T23:02:26.582000
Parked Domains Become Weapons with Direct Search Advertising
Description: Parked domains are increasingly being weaponized through direct search advertising, posing significant risks to users. The investigation found that over 90% of visits to parked domains led to scams, malware, or unwanted content. Three key actors were identified: one using lookalike domains and mail collection, another employing sophisticated 'double fast flux' techniques, and a third exploiting DNS configuration typos. These actors actively profile visitors and selectively redirect traffic to malicious advertisers. The complexity of the advertising ecosystem makes it difficult to trace the origin of threats. Recent policy changes and the rise of AI may inadvertently increase risks associated with parked domains.
Created at: 2025-12-17T14:28:37.531000
Updated at: 2025-12-17T23:01:05.471000
From Linear to Complex: An Upgrade in RansomHouse Encryption
Description: RansomHouse, a ransomware-as-a-service operation run by Jolly Scorpius, has undergone a significant upgrade in encryption methods. The attack chain involves operators developing tools, attackers deploying ransomware, and victims being targeted. Two key components, MrAgent and Mario, are used to compromise virtualized environments. MrAgent manages deployments, while Mario encrypts files. The upgraded version of Mario features a more complex two-stage encryption process, improved memory management, and dynamic file processing. These enhancements make the ransomware more efficient and resilient to analysis, signaling a concerning trend in ransomware development that could influence future variants.
Created at: 2025-12-17T14:28:36.991000
Updated at: 2025-12-17T22:15:47.143000
