LATEST THREAT INTELLIGENCE.
Fake Tech Support Delivers Havoc Command & Control
Description: A sophisticated cyber attack campaign combines social engineering and advanced malware techniques. Attackers pose as IT support to gain initial access, then deploy a modified version of the Havoc C2 framework. The malware uses DLL sideloading, indirect syscalls, and custom loaders to evade detection. After compromising the initial system, the attackers rapidly move laterally, establishing persistence through scheduled tasks and legitimate remote monitoring tools. The campaign demonstrates a blend of human-centric initial access methods and advanced technical evasion techniques, highlighting the need for comprehensive security measures spanning user awareness and technical controls.
Created at: 2026-03-05T12:32:01.346000
Updated at: 2026-03-05T16:22:25.077000
MuddyWater Exposed: Inside an Iranian APT operation
Description: Researchers identified and analyzed exposed infrastructure of MuddyWater, an Iranian cyber espionage group linked to the Ministry of Intelligence and Security. The investigation revealed their reconnaissance methods, exploitation of vulnerabilities, custom command and control frameworks, and exfiltration techniques. Targets included organizations in Israel, Jordan, Egypt, UAE, Portugal, and the US. Notable findings include the use of Ethereum smart contracts for C2 communication, multiple custom C2 frameworks, and exploitation of various CVEs. The group showed a pattern of rapid adoption of public exploits and development of custom tools, while also exhibiting operational security failures that enabled this research.
Created at: 2026-03-05T15:18:30.318000
Updated at: 2026-03-05T15:50:15.941000
Using SSL Certificates and Graph Theory to Uncover Threat Actors
Description: Researchers at Infoblox have developed an advanced technique leveraging graph theory and SSL certificates to uncover threat actor operational relationships. The approach analyzes Certificate Transparency logs, using the Subject Alternative Name field in certificates to identify domains under common control. By modeling domains as nodes and certificate relationships as edges, the system reveals comprehensive threat infrastructures. This method enables discovery of new malicious domains, consolidation of threat actor identities, and early detection of emerging threats. The system processes millions of certificates daily, providing actionable intelligence on threat actor operations across various types of cybercriminal activities.
Created at: 2026-03-04T19:42:41.028000
Updated at: 2026-03-05T09:38:32.181000
Iranian APT Infrastructure in Focus: Mapping State-Aligned Clusters During Geopolitical Escalation
Description: The analysis examines Iranian state-aligned threat actors and their infrastructure patterns during heightened geopolitical tensions. It focuses on mapping network infrastructure, ASN patterns, TLS fingerprints, and hosting clusters associated with various Iranian APT groups. The report highlights the importance of proactive infrastructure monitoring to detect and disrupt potential cyber operations. Key findings include the identification of previously unreported hosts, domains, and servers linked to Iranian operations, as well as insights into the tactics used by groups like MuddyWater and Dark Scepter. The article emphasizes the value of infrastructure intelligence in early threat detection and provides recommendations for organizations to monitor and defend against these threats.
Created at: 2026-03-04T19:42:41.596000
Updated at: 2026-03-05T09:37:37.726000
Inside Tycoon2FA: How a leading AiTM phishing kit operated at scale
Description: Tycoon2FA emerged as a prominent phishing-as-a-service platform in August 2023, enabling large-scale campaigns targeting over 500,000 organizations monthly. Developed by Storm-1747, it provided adversary-in-the-middle capabilities to bypass multifactor authentication. The kit allowed impersonation of trusted brands like Microsoft 365 and Gmail, intercepting session cookies and credentials. It employed sophisticated evasion techniques including anti-bot screening, browser fingerprinting, and custom CAPTCHAs. Tycoon2FA's infrastructure evolved to use diverse, short-lived domains and complex redirect chains. Its success stemmed from closely mimicking legitimate authentication processes while covertly intercepting user credentials and session tokens.
Created at: 2026-03-04T19:42:43.068000
Updated at: 2026-03-05T09:36:06.609000
The Chrysalis Backdoor: A Deep Dive into Lotus Blossom's toolkit
Description: Rapid7 Labs has uncovered a sophisticated campaign attributed to the Chinese APT group Lotus Blossom, involving a new custom backdoor named Chrysalis. The attack compromised Notepad++ infrastructure to deliver the backdoor. Analysis revealed multiple custom loaders, including one using Microsoft Warbird for obfuscation. The Chrysalis backdoor has extensive capabilities for information gathering, file operations, and remote command execution. Additional artifacts found include Cobalt Strike beacons and Metasploit payloads. The campaign shows Lotus Blossom evolving its tactics, mixing custom and off-the-shelf tools with advanced obfuscation techniques to evade detection.
Created at: 2026-02-03T08:21:04.364000
Updated at: 2026-03-05T08:00:11.198000
Infostealers without borders: macOS, Python stealers, and platform abuse
Description: Infostealer threats are expanding beyond Windows, targeting macOS and leveraging cross-platform languages like Python. Recent campaigns use social engineering to deploy macOS-specific infostealers such as DigitStealer, MacSync, and AMOS. These stealers use fileless execution and native macOS utilities to harvest credentials and sensitive data. Python-based stealers are also on the rise, allowing attackers to quickly adapt and target diverse environments. Additionally, threat actors are abusing trusted platforms like WhatsApp and PDF converter tools to distribute malware such as Eternidade Stealer. These evolving threats blend into legitimate ecosystems and evade conventional defenses, posing significant risks to organizations across various operating systems and delivery channels.
Created at: 2026-02-02T22:44:53.887000
Updated at: 2026-03-04T22:03:27.299000
Infrastructure of Interest: Medium Confidence FastFlux
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous DNS patterns, behavioral analysis of rapid IP rotation, and cross-referenced intelligence from global sinkhole data and network telemetry. The IOCs included in this pulse are associated with Fastflux networks, characterized by constantly changing IP addresses and DNS records to evade detection while maintaining resilient malicious infrastructure for phishing, malware delivery, or C2 operations. Use this data to enhance DNS-based detection rules, identify flux parent domains, and disrupt threat actor network resilience. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:34:03.778000
Updated at: 2026-03-04T16:37:19.517000
Infrastructure of Interest: Medium Confidence InfoStealer
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with infostealer malware, designed to harvest sensitive data such as credentials, cookies, and financial information from compromised systems. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations involving data theft. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:31:55.617000
Updated at: 2026-03-04T16:37:18.785000
Infrastructure of Interest: Medium Confidence Command And Control
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with command and control (C2) infrastructure, facilitating malware communication, data exfiltration, and persistent threat actor operations. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:29:37.542000
Updated at: 2026-03-04T16:37:16.270000
