LATEST THREAT INTELLIGENCE.

AI/LLM-Generated Malware Used to Exploit React2Shell

Description: Darktrace identified an AI-generated malware sample exploiting the React2Shell vulnerability in its honeypot environment. The incident demonstrates how LLM-assisted development enables low-skill attackers to rapidly create effective exploitation tools. The attack chain involved spawning a container named 'python-metrics-collector' on an exposed Docker daemon, downloading and executing a Python script, and deploying a XMRig crypto miner. The malware sample featured thorough code documentation and lacked typical obfuscation, indicating AI generation. This highlights the growing trend of AI-enabled cyber threats that are now operational and accessible to anyone, posing new challenges for defenders.

Created at: 2026-02-10T17:46:07.573000

Updated at: 2026-03-12T17:22:30.481000

VoidLink: Dissecting an AI-Generated C2 Implant

Description: VoidLink is a Linux C2 framework that generates implant binaries for cloud and enterprise environments. The implant, likely built using an LLM coding agent, demonstrates advanced capabilities including multi-cloud targeting, container awareness, and kernel-level stealth. It fingerprints cloud environments across AWS, GCP, Azure, Alibaba Cloud, and Tencent Cloud, harvesting credentials and detecting container runtimes. The malware includes plugins for container escape and Kubernetes privilege escalation, as well as a kernel-level rootkit that adapts its approach based on the host's kernel version. C2 communications use AES-256-GCM over HTTPS, disguised as normal web traffic. VoidLink highlights the growing concern of LLM-generated implants reducing the skill barrier for producing sophisticated malware.

Created at: 2026-02-10T17:46:06.519000

Updated at: 2026-03-12T17:22:30.481000

Storm-2603 Exploits CVE-2026-23760 to Stage Warlock Ransomware

Description: A critical vulnerability in SmarterMail email server software (CVE-2026-23760) is being actively exploited by the China-based threat actor Storm-2603. The group uses this vulnerability to bypass authentication, reset administrator passwords, and gain full system control through the software's 'Volume Mount' feature. They then install Velociraptor, a legitimate digital forensics tool, to maintain access and prepare for deploying their Warlock ransomware. The attack chain involves exploiting the password reset API, abusing administrative features, and using legitimate tools to blend in with normal activity. This sophisticated approach allows the group to bypass detection mechanisms and establish persistence. The report also notes simultaneous exploitation attempts of another vulnerability (CVE-2026-24423) against the same targets, highlighting the urgent need for patching and improved security measures.

Created at: 2026-02-10T16:59:00.684000

Updated at: 2026-03-12T16:02:00.425000

Silent Push Traffic Origin Data Combined with Residential Proxy Data Uncovers Suspicious Chinese VPN

Description: An investigation using Silent Push's Traffic Origin and residential proxy data revealed a suspicious Chinese VPN provider. The analysis focused on IP address 205.198.91.155, which showed unusual traffic from Russia, China, Myanmar, Iran, and Venezuela. This IP was linked to the domain lvcha.in, hosting a Chinese-language VPN. Further investigation uncovered nearly 50 related domains promoting the same VPN, suggesting attempts to bypass country-level firewalls. The VPN's infrastructure was found to use residential proxies and had connections to various high-risk countries. This case study demonstrates the importance of verifying physical and technical behaviors of connections to protect against fraud and state-sponsored actors using stolen identities and spoofed locations.

Created at: 2026-02-10T09:09:44.803000

Updated at: 2026-03-12T09:10:27.567000

Investigation on the EmEditor Supply Chain Cyberattack

Description: A recent supply chain attack targeting EmEditor users has been uncovered, involving watering hole tactics. The investigation reveals multiple domains masquerading as EmEditor-related sites, all registered through NameSilo LLC in December 2025. The domains resolve to various IP addresses, with some changes observed in February 2026. Additional domains with similar patterns were discovered, along with peculiar HTTP header behavior. A potential early stage of the campaign was identified, sharing similar characteristics with the initial report. The attackers continued their activities even after exposure, utilizing PowerShell scripts and various domains for command and control purposes. The analysis provides a comprehensive list of indicators, including domain names, IP addresses, and file hashes associated with the attack.

Created at: 2026-02-09T14:52:16.312000

Updated at: 2026-03-11T14:03:26.774000

Microsoft OAuth Device Code Phishing

Description: A new phishing technique abusing Microsoft's OAuth Device Code flow is on the rise, with over 180 phishing URLs detected in a week. This method shifts from credential theft to token-based account takeover, making detection more challenging. Attackers initiate a device authorization process, tricking victims into approving it on legitimate Microsoft pages. The attack uses encrypted HTTPS traffic and legitimate authentication flows, bypassing traditional phishing indicators. Victims unknowingly grant attackers access to their Microsoft 365 accounts through OAuth tokens. This poses a critical risk as it allows immediate access to corporate data and resources, potentially leading to business email compromise and persistent access through refresh tokens.

Created at: 2026-03-11T06:17:03.540000

Updated at: 2026-03-11T10:19:13.935000

Iranian MOIS Actors & the Cyber Crime Connection

Description: Iranian intelligence services are increasingly engaging with the cyber crime ecosystem, leveraging criminal tools, services, and operational models to support state objectives. This trend is particularly evident among actors linked to the Ministry of Intelligence and Security (MOIS), such as Void Manticore and MuddyWater. These actors are not merely imitating criminal behavior but actively associating with the cyber criminal ecosystem, using its infrastructure, malware, and affiliate-style relationships. This approach enhances their operational capabilities, complicates attribution, and contributes to confusion around Iranian threat activity. Examples include the use of ransomware branding, commercial infostealers, and overlaps with criminal malware clusters. This shift from imitation to active engagement with cyber crime offers both improved deniability and expanded technical capabilities for Iranian actors.

Created at: 2026-03-10T21:10:43.542000

Updated at: 2026-03-11T10:12:34.364000

KadNap Malware Turning Asus Routers Into Botnets

Description: A sophisticated new malware called KadNap has been discovered targeting Asus routers and conscripting them into a botnet for proxying malicious traffic. The malware employs a custom version of the Kademlia Distributed Hash Table protocol to conceal its command-and-control infrastructure within a peer-to-peer system, evading traditional network monitoring. The botnet, which has grown to over 14,000 infected devices, is marketed by a proxy service called Doppelganger, tailored for criminal activity. More than 60% of KadNap's victims are based in the United States. The malware demonstrates versatility by targeting various edge networking devices and employing different C2 servers for different victim types.

Created at: 2026-03-11T10:02:07.876000

Updated at: 2026-03-11T10:06:18.797000

A security alert regarding APT-C-28 (ScarCruft) using MiradorShell to launch a cyberattack.

Description: A recent investigation reveals that the APT-C-28 (ScarCruft) group has expanded its targets to include the cryptocurrency industry. The group employs sophisticated phishing tactics, using LNK files disguised as PDFs to lure victims with investment proposals ranging from $1-3 million. Upon execution, a multi-stage payload deployment occurs, ultimately installing MiradorShell v2.0 to gain system control. The attack chain involves file downloads, decryption, and the creation of scheduled tasks for persistence. MiradorShell, an AutoIt-based backdoor, connects to a command and control server, offering reverse shell capabilities, file management, remote program execution, and victim fingerprinting. The malware employs various evasion techniques, including inline library files and direct API calls.

Created at: 2026-02-09T10:18:26.280000

Updated at: 2026-03-11T10:00:03.773000

Tenant from Hell: Prometei's Unauthorized Stay in Your Windows Server

Description: eSentire's Threat Response Unit detected Prometei botnet activity on a customer's Windows Server in the Construction industry. Prometei, a Russian-origin botnet active since 2016, features remote control, credential harvesting, crypto-mining, lateral movement, and C2 communication over clearweb and TOR. The malware uses complex encryption, including rolling XOR and RC4, for payload decryption and C2 communications. It establishes persistence as a Windows service, creates firewall exceptions, and downloads additional modules for specialized functions like credential theft and TOR routing. The attack likely began with compromised RDP credentials, followed by the execution of a malicious command to download and run the Prometei payload.

Created at: 2026-02-09T10:17:26.978000

Updated at: 2026-03-11T10:00:03.773000