LATEST THREAT INTELLIGENCE.
New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices
Description: Unit 42 researchers have uncovered LANDFALL, a previously unknown Android spyware family targeting Samsung Galaxy devices. The spyware exploits CVE-2025-21042, a zero-day vulnerability in Samsung's image processing library, to deliver commercial-grade surveillance capabilities. LANDFALL is embedded in malicious DNG image files, likely distributed via WhatsApp, and enables comprehensive monitoring including microphone recording, location tracking, and data collection. The campaign shares infrastructure with known commercial spyware operations in the Middle East. The vulnerability has been patched, but the exploit chain remained active and undetected for months before discovery.
Created at: 2025-11-07T18:07:10.249000
Updated at: 2025-12-07T18:01:48.980000
Booking.com Phishing Campaign Targeting Hotels and Customers
Description: A sophisticated phishing campaign is targeting the hospitality industry, specifically Booking.com partners and their customers. The attackers first compromise hotel administrators' systems using malware like PureRAT, gaining access to booking management accounts. They then use this access to conduct fraudulent schemes against hotel guests, tricking them into paying twice for their reservations. The campaign employs spear-phishing emails impersonating Booking.com, redirecting victims to malicious sites using the ClickFix social engineering tactic. The attackers leverage a complex infrastructure including compromised legitimate websites, traffic distribution systems, and bulletproof hosting. This operation is part of a broader cybercrime ecosystem targeting booking platforms, with various specialized services being offered on underground forums to facilitate these attacks.
Created at: 2025-11-07T09:22:49.812000
Updated at: 2025-12-07T09:00:34.797000
Cavalry Werewolf hacker group attacks Russian state institutions
Description: A Russian government organization was targeted by the Cavalry Werewolf hacker group, aiming to collect confidential information and network data. The attack began with phishing emails containing malware disguised as documents. The group utilized various tools including backdoors, trojans, and modified legitimate programs. They employed open-source software, reverse-shell backdoors, and Telegram API for control. The attackers focused on information gathering, network configuration, and establishing persistence in compromised systems. Their tactics included using Windows built-in tools, modifying the registry, and exploiting public directories for malware deployment. The group's sophisticated approach and diverse toolset highlight the evolving threat landscape for government institutions.
Created at: 2025-11-07T09:07:15.179000
Updated at: 2025-12-07T09:00:34.797000
LeakyInjector and LeakyStealer Duo Hunts For Crypto and Browser History
Description: A new two-stage malware named LeakyInjector and LeakyStealer has been identified, targeting cryptocurrency wallets and browser history. LeakyInjector uses low-level APIs for injection to avoid detection and injects LeakyStealer into explorer.exe. LeakyStealer implements a polymorphic engine to modify its memory area at runtime. Both stages were signed with valid Extended Validation certificates. The malware performs reconnaissance on infected machines, targeting multiple crypto wallets, including browser extensions, and searches for browser history files from various browsers. It establishes persistence through registry manipulation and beacons to the C2 server at regular intervals. The malware exfiltrates sensitive data and can execute additional commands received from the C2 server.
Created at: 2025-11-07T09:02:26.236000
Updated at: 2025-12-07T09:00:34.797000
Infrastructure of Interest: Medium Confidence Detection
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:39:42.586000
Updated at: 2025-12-06T19:50:03.360000
Gootloader Returns: What Goodies Did They Bring?
Description: Gootloader, a sophisticated JavaScript-based malware loader, has resurfaced with renewed activity. Used by threat actor Storm-0494, it grants access to Vanilla Tempest, which delivers various ransomware families. Recent infections have led to rapid domain controller compromises. The loader now uses custom WOFF2 fonts with glyph substitution to obfuscate filenames and exploits WordPress comment endpoints for payload delivery. It has shifted to Startup folder persistence and employs extensive obfuscation techniques. Reconnaissance begins quickly after infection, followed by predictable attack patterns including AD enumeration, lateral movement, and potential ransomware preparation. The loader's delivery method and obfuscation techniques have evolved, making it more challenging to detect and analyze.
Created at: 2025-11-06T14:16:38.980000
Updated at: 2025-12-06T14:01:00.062000
Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors
Description: Google Threat Intelligence Group (GTIG) is tracking BRICKSTORM malware activity, which is being used to maintain persistent access to victim organizations in the United States. Since March 2025, Mandiant Consulting has responded to intrusions across a range of industry verticals, most notably legal services, Software as a Service (SaaS) providers, Business Process Outsourcers (BPOs), and Technology. The value of these targets extends beyond typical espionage missions, potentially providing data to feed development of zero-days and establishing pivot points for broader access to downstream victims.
Created at: 2025-10-08T15:21:42.161000
Updated at: 2025-12-05T19:58:19.364000
China-nexus cyber threat groups rapidly exploit React2Shell vulnerability (CVE-2025-55182)
Description: Within hours of the public disclosure of CVE-2025-55182 (React2Shell) on December 3, 2025, Amazon threat intelligence teams observed active exploitation attempts by multiple China state-nexus threat groups, including Earth Lamia and Jackpot Panda. This critical vulnerability in React Server Components has a maximum Common Vulnerability Scoring System (CVSS) score of 10.0 and affects React versions 19.x and Next.js versions 15.x and 16.x when using App Router.
Created at: 2025-12-05T17:57:24.639000
Updated at: 2025-12-05T17:58:03.748000
Operation Dragon Breath (APT-Q-27): Dimensional Reduction Attack Against the Gambling Industry
Description: A threat group known as Golden Eye Dog (APT-Q-27) has been targeting individuals involved in gambling and related activities in Southeast Asia, as well as overseas Chinese communities. The group's operations include remote control, cryptocurrency mining, DDoS attacks, and traffic-related activities. Their malware samples are primarily distributed through Telegram groups, with strong anti-detection capabilities and highly targeted lures. The article describes new watering hole activities by the group, including the use of modified MSI installers for popular messaging apps like Telegram. The group has evolved its tactics since previous reports, making their operations more covert and difficult to detect. The analysis reveals the group's use of various programming languages and sophisticated techniques, suggesting it may be part of a larger, more advanced organization called Miuuti Group.
Created at: 2025-11-05T12:36:25.037000
Updated at: 2025-12-05T12:04:04.227000
Weaponized Military Documents Deliver Advanced SSH-Tor Backdoor
Description: A sophisticated cyber attack targeting the defense sector was identified in October 2025, utilizing a weaponized ZIP archive disguised as a military document. The multi-stage attack employs advanced evasion techniques and deploys a complex infrastructure combining OpenSSH for Windows with a customized Tor hidden service. The malware establishes persistent backdoor access, allowing anonymous remote access via SSH, RDP, SFTP, and SMB protocols. The lure document targets Belarusian Air Force drone experts, suggesting intelligence gathering on regional UAV capabilities. The attack's tactics, techniques, and procedures align with those of Sandworm (APT44), a Russian-linked APT group, although definitive attribution remains uncertain at this stage.
Created at: 2025-11-05T12:36:25.568000
Updated at: 2025-12-05T12:04:04.227000
