LATEST THREAT INTELLIGENCE.
Infrastructure of Interest: Medium Confidence Phishing
Description: These indicators of compromise (IOCs) were identified through LevelBlue Labs' proprietary collection and threat hunting processes, leveraging AI-driven heuristics to detect anomalous patterns, behavioral analysis of malicious activity, and cross-referenced intelligence from endpoint telemetry and external sources. The IOCs included in this pulse are associated with phishing campaigns, targeting credential theft and fraudulent resource access. Use this data to enhance detection rules, block malicious infrastructure, or correlate with existing incident investigations. These indicators have been assigned a medium confidence level regarding their maliciousness. They are therefore subject to further review, and feedback is greatly appreciated.
Created at: 2025-08-07T07:20:01.253000
Updated at: 2025-11-27T19:31:21.800000
Analysis of the Lumma infostealer
Description: The Lumma infostealer is a sophisticated malware distributed as Malware-as-a-Service, targeting Windows systems. It primarily steals sensitive data such as browser credentials, cryptocurrency wallets, and VPN/RDP accounts. Lumma is often used in the initial stages of multi-vector attacks, including ransomware and network breaches. The malware is distributed through phishing sites, disguised as pirated software, and uses complex techniques like NSIS packaging, AutoIt scripts, and process hollowing to evade detection. To combat this threat, organizations should implement behavior-based detection systems and integrate threat intelligence into their security strategies.
Created at: 2025-11-27T18:43:56.824000
Updated at: 2025-11-27T19:01:13.694000
Striking Panda Attacks: APT31 Today
Description: APT31, a Chinese cyber espionage group, has been actively targeting the Russian IT sector from 2024 to 2025, particularly companies working as contractors for government agencies. The group uses sophisticated tactics to remain undetected, including leveraging cloud services as command and control infrastructure and deploying new malware samples. APT31 demonstrates knowledge of target organizations' workflows, timing attacks during holidays. They use a prepared script for lateral movement and have deployed new malware such as AufTime, COFFProxy, VtChatter, YaLeak, CloudyLoader and OneDriveDoor. The group employs various persistence techniques, credential access methods, and data exfiltration tools. APT31 continues to evolve its toolkit while maintaining some older tools, allowing them to remain undetected in victim networks for years while extracting sensitive data.
Created at: 2025-11-27T18:37:48.010000
Updated at: 2025-11-27T18:59:48.893000
Hidden Google Play Adware Drains Devices and Disrupts Millions of Users
Description: A large-scale Android adware campaign dubbed 'GhostAd' has been uncovered, affecting millions of users primarily in East and Southeast Asia. The campaign involved multiple apps on Google Play that appeared harmless but created persistent background advertising engines, draining device resources and disrupting normal phone use. These apps used foreground services, job schedulers, and continuous ad refreshing to maintain their presence even after users closed or rebooted their devices. The adware integrated multiple legitimate advertising SDKs but violated fair-use policies by continuously loading ads without user interaction. Users experienced battery drain, reduced performance, and difficulty in removing the apps. Google has since removed the identified apps from the Play Store and disabled them via Google Play Protect.
Created at: 2025-11-27T18:32:25.018000
Updated at: 2025-11-27T18:59:36.972000
Scattered Lapsus$ Hunters Take Aim At Zendesk Users
Description: A new campaign potentially linked to the Scattered Lapsus$ Hunters group is targeting Zendesk users. Over 40 typosquatted Zendesk domains have been discovered, featuring organizations' names or brands. These domains host phishing pages designed to harvest credentials. The campaign also involves submitting fraudulent tickets to Zendesk portals, aiming to infect support staff with remote access trojans. This follows similar attacks on other SaaS platforms like Salesforce. Discord may already be a victim, having suffered a breach via its Zendesk-based support system. Organizations are advised to implement strong authentication measures, conduct domain monitoring, and secure Zendesk chat to mitigate risks.
Created at: 2025-11-27T14:13:07.438000
Updated at: 2025-11-27T18:22:48.758000
Defending Against Sha1-Hulud: The Second Coming
Description: A new variant of the NPM supply chain attack, dubbed Sha1-Hulud, has emerged with enhanced capabilities. Unlike its predecessor, this attack executes in the preinstall phase, targeting popular packages such as Postman, Zapier, and AsyncAPI. The malware harvests credentials across AWS, Azure, and GCP, and establishes persistence through GitHub Actions. It creates a self-hosted runner named 'SHA1HULUD' and adds a workflow with an injection vulnerability. The attack's impact extends beyond the development environment, potentially allowing lateral movement across cloud infrastructures. Immediate actions recommended include removing compromised packages, revoking and regenerating tokens and credentials, and enforcing hardware-based MFA for developer accounts.
Created at: 2025-11-27T14:13:07.873000
Updated at: 2025-11-27T18:22:42.599000
Shai-hulud 2.0 Campaign Targets Cloud and Developer Ecosystems
Description: The Shai-hulud 2.0 campaign features an advanced malware variant that steals credentials and secrets from major cloud platforms and developer services. It automates the backdooring of NPM packages maintained by victims, enabling rapid propagation across the software supply chain. The malware targets AWS, GCP, and Azure credentials, as well as NPM tokens and GitHub authentication. It creates malicious GitHub Actions workflows for command-and-control and secret exfiltration. The campaign also leverages cloud secret management services and implements destructive failsafes. Its sophisticated tactics allow for stealthy compromise of developer ecosystems, potentially impacting thousands of downstream users.
Created at: 2025-11-27T14:13:08.415000
Updated at: 2025-11-27T18:19:36.174000
Care that you share
Description: This newsletter emphasizes the importance of thoughtful information sharing, especially during busy holiday periods. It highlights the risks of unintentional data leaks and increased phishing attempts during peak shopping seasons. The author recounts a positive experience sharing knowledge with university students, encouraging readers to overcome hesitation in sharing seemingly obvious information. The newsletter also announces ClamAV's initiative to retire outdated signatures, improving efficiency and reducing database sizes. It stresses the significance of maintaining open communication within teams, particularly when resources are limited, to support colleagues and enhance overall security awareness.
Created at: 2025-11-26T19:11:17.732000
Updated at: 2025-11-27T08:51:51.774000
Shai-Hulud 2.0: Aggressive & Automated, One Of Fastest Spreading NPM Supply Chain Attacks Ever Observed
Description: In November 2025, security researchers identified Shai-Hulud 2.0, an aggressive and automated supply-chain attack targeting the npm ecosystem. This second wave of the Shai-Hulud campaign demonstrated unprecedented automation and propagation speed, compromising hundreds of npm packages within hours. The malware behaves like a worm, automatically harvesting credentials and cloud secrets, and spreading to new npm accounts. It uses GitHub Actions as a persistent backdoor and creates public repositories for exfiltration. The attack represents a significant escalation in supply-chain attack sophistication, affecting major projects and organizations, and resulting in tens of thousands of attacker-created GitHub repositories.
Created at: 2025-11-27T03:00:54.933000
Updated at: 2025-11-27T08:50:41.538000
ShadowV2 Casts a Shadow Over IoT Devices
Description: A new Mirai variant called ShadowV2 has been observed spreading through IoT vulnerabilities during a global AWS disruption. The malware targeted multiple countries and industries worldwide, exploiting vulnerabilities in devices from vendors like DD-WRT, D-Link, Digiever, TBK, and TP-Link. ShadowV2 is designed for IoT devices and uses a XOR-encoded configuration to connect to a C2 server for receiving DDoS attack commands. The malware supports various attack methods, including UDP floods, TCP-based floods, and HTTP-level floods. This incident highlights the ongoing vulnerability of IoT devices and the need for timely firmware updates, robust security practices, and continuous threat monitoring.
Created at: 2025-11-27T07:37:54.726000
Updated at: 2025-11-27T08:48:40.401000
